Oracle Cloud Infrastructure Documentation

Cisco ASA: Route-Based

Cisco ASA versions 9.7.1 and newer support route-based configuration, which is the recommended method to avoid interoperability issues. If you have an earlier version of software, see either Cisco ASA: Policy-Based Without VPN Filters or Cisco ASA: Policy-Based with VPN Filters.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Supported Encryption Domain or Proxy ID

The values for the encryption domain (also known as a proxy ID, security parameter index (SPI), or traffic selector) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct encryption domain values to use, see Supported Encryption Domain or Proxy ID.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.

${ipAddress#}

  • Oracle VPN headend IPSec tunnel endpoints. There is one value for each tunnel.
  • Example value: 129.146.12.52

${sharedSecret#}

  • The IPSec IKE pre-shared-key. There is one value for each tunnel.
  • Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

${cpePublicIpAddress}

  • The public IP address for the CPE (previously made available to Oracle via the Console). This is the IP address of your outside interface.
  • Example Value: 1.2.3.4

Additional Configuration Parameters

The Cisco ASA config requires the following additional variables:

${vcnID}

  • A UUID string used to uniquely name some access-lists and object-groups (can also use any other string that does not create a name that conflicts with an existing object-group or access-list).
  • Example: oracle-vcn-1

${VcnCidrBlock}

  • When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.
  • Example Value: 10.0.0.0/20

${VcnCidrNetwork} and ${VcnCidrNetmask}

  • These are the base address and netmask for the ${VcnCidrBlock}
  • For more information, see: Wikipedia reference for finding CidrNetmask
  • Values based on the preceding example ${VcnCidrBlock}:
    • ${VcnCidrNetwork}: 10.0.0.0
    • ${VcnCidrNetmask}: 255.255.0.0

Parameters Discovered from CPE Configuration

The following parameters are based on your current CPE Configuration.

${outsideInterface}

  • This is the interface that faces outside of your CPE.
  • The outside interface should be able to ping the Oracle VPN headend IPs.

${CpeInsideTunnelIpAddressWithMask#} and ${OracleInsideTunnelIPAddress#}

These two variables are a pair of IP addresses that you allocate for a given tunnel (one IP address for each end of the tunnel). As shown in the following table, you allocate one pair of addresses per tunnel you configure. The variable for the CPE side of the tunnel includes the mask.

Tunnel CPE Side of Tunnel Oracle Side of Tunnel
Tunnel 1

${CpeInsideTunnelIpAddressWithMask1}

Example: 192.168.1.1 255.255.255.252

${OracleInsideTunnelIPAddress1}

Example: 192.168.1.2

Tunnel 2

${CpeInsideTunnelIpAddressWithMask2}

Example: 192.168.1.5 255.255.255.252

${OracleInsideTunnelIPAddress2}

Example: 192.168.1.6

Config Template Parameter Summary

Each region has multiple Oracle IPSec headends. The following table allows you to set up multiple tunnels on your CPE, each to a corresponding headend. In the table, "User" is you/your company.

Parameter Source Example Value
${ipAddress1} Console/API 129.146.12.52
${sharedSecret1} Console/API (long string)
${ipAddress2} Console/API 129.146.13.52
${sharedSecret2} Console/API (long string)
${cpePublicIpAddress} User 1.2.3.4
${vcnID} Console/API/User 1
${VcnCidrBlock} User 10.0.0.0/16
${VcnCidrNetwork} User 10.0.0.0
${VcnCidrNetmask} User 255.255.0.0
${outsideInterface} User CPE Vlan101
${outsideInterfaceName} User CPE outside
${CpeInsideTunnelIpAddressWithMask1} User CPE 192.168.1.1 255.255.255.252
${CpeInsideTunnelIpAddressWithMask2} User CPE 192.168.1.5 255.255.255.252
${OracleInsideTunnelIPAddress1} User CPE 192.168.1.2
${OracleInsideTunnelIPAddress2} User CPE 192.168.1.6
${tunnelInterfaceName1} User CPE tunnel1
${tunnelInterfaceName2} User CPE tunnel2

Important

The following ISAKMP and IPSec policy parameter values are applicable to VPN Connect in the commercial cloud. For the Government Cloud, you must use the values listed in Required VPN Connect Parameters for the Government Cloud.

Commercial Cloud: ISAKMP Policy Options

Commercial Cloud: IPSec Policy Options

CPE Configuration

IKE and IPSec Policy Configuration

crypto ikev1 enable ${outsideInterface}

crypto ikev1 policy 1
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 28800

crypto ipsec ikev1 transform-set oracle-vcn-transform esp-aes-256 esp-sha-hmac

 crypto ipsec profile oracle-vcn-vpn-policy
   set ikev1 transform-set oracle-vcn-transform
   set pfs group5
   set security-association lifetime seconds 3600

Tunnel Group Configuration

tunnel-group ${ipAddress1} type ipsec-l2l
tunnel-group ${ipAddress1} ipsec-attributes
  ikev1 pre-shared-key ${sharedSecret1}

tunnel-group ${ipAddress2} type ipsec-l2l
tunnel-group ${ipAddress2} ipsec-attributes
 ikev1 pre-shared-key ${sharedSecret2}

VTI Interface Configuration

interface ${tunnelInterfaceName1}
  nameif ORACLE-VPN1
  ip address ${CpeInsideTunnelIpAddressWithMask1}
  tunnel source interface ${outsideInterfaceName}
  tunnel destination ${ipAddress1}
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile oracle-vcn-vpn-policy

interface ${tunnelInterfaceName2}
  nameif ORACLE-VPN2
  ip address ${CpeInsideTunnelIpAddressWithMask2}
  tunnel source interface ${outsideInterfaceName}
  tunnel destination ${ipAddress2}
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile oracle-vcn-vpn-policy

Static Route Configuration

route ORACLE-VPN1 ${VcnCidrNetwork} ${VcnCidrNetmask} ${OracleInsideTunnelIpAddress1} 1 track
route ORACLE-VPN2 ${VcnCidrNetwork} ${VcnCidrNetmask} ${OracleInsideTunnelIpAddress2} 100

Configuration for Tunnel Failover

sla monitor 10
  type echo protocol ipIcmpEcho ${ipAddress1}interface outside
  frequency 5
  sla monitor schedule 10 life forever start-time now

track 1 rtr 10 reachability

Other Important Device Configuration

  • Ensure NAT is disabled for VPN traffic.
  • Ensure access-lists on the ASA are configured correctly.
  • If you have multiple tunnels up simultaneously, ensure your ASA is configured to handle traffic coming from your VCN/Oracle on any of the tunnels, even if one is active and the other is backup. For example, you need to disable ICMP inspection, configure TCP state bypass, and so on. For more details about the appropriate configuration, contact Cisco support.

Warning

Do not use the originate-only option with an Oracle IPSec VPN tunnel. It causes the tunnel's traffic to be inconsistently blackholed. The command is only for tunnels between two Cisco devices. Here's an example of the command that you should NOT use for the Oracle IPSec VPN tunnels:

crypto map <map name> <sequence number> set connection-type originate-only