Oracle Cloud Infrastructure Documentation

Cisco IOS

This configuration was validated using a Cisco 2921 running Cisco IOS Version 15.4(3)M3.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Supported Encryption Domain or Proxy ID

The values for the encryption domain (also known as a proxy ID, security parameter index (SPI), or traffic selector) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct encryption domain values to use, see Supported Encryption Domain or Proxy ID.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.

${ipAddress#}

  • Oracle VPN headend IPSec tunnel endpoints. There is one value for each tunnel.
  • Example value: 129.146.12.52

${sharedSecret#}

  • The IPSec IKE pre-shared-key. There is one value for each tunnel.
  • Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

${cpePublicIpAddress}

  • The public IP address for the CPE (previously made available to Oracle via the Console).

${VcnCidrBlock}

  • When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.
  • Example Value: 10.0.0.0/20

Parameters Based on Current CPE Configuration and State

The following parameters need to be discovered by examining your CPE's current configuration and finding valid parameter values that do not overlap with the current CPE configuration.

${tunnelNumber#} - one per tunnel

  • The Cisco IOS uses the Tunnel interfaces for "Virtual Tunnel Interfaces" (vti) IPSec tunnels.
  • Command to find value: show run | inc interface Tunnel
  • You will need one unused unit number per tunnel.
  • Example Values: 1, 2

Config Template Parameter Summary

Each region has multiple Oracle IPSec headends. The template below will allow setting up multiple tunnels on your CPE, each to a corresponding headend. In the table below, "User" is you/your company.

Parameter Source Example Value
${ipAddress1} Console/API 129.146.12.52
${sharedSecret1} Console/API (long string)
${ipAddress2} Console/API 129.146.13.52
${sharedSecret2} Console/API (long string)
${cpePublicIpAddress} User 1.2.3.4
${tunnelNumber1} User 1
${tunnelNumber2} User 2
${VcnCidrBlock} User 10.0.0.0/16

Important

The following ISAKMP and IPSec policy parameter values are applicable to VPN Connect in the commercial cloud. For the Government Cloud, you must use the values listed in Required VPN Connect Parameters for the Government Cloud.

ISAKMP Policy Options

IPSec Policy Options

CPE Configuration

Pre-shared-key Configuration

Add the pre-shared-keys to your configuration:

crypto keyring oracle-vpn-${ipAddress1}  
  local-address ${cpePublicIpAddress}
  pre-shared-key address ${ipAddress1} key ${sharedSecret1}
crypto keyring oracle-vpn-${ipAddress2}  
  local-address ${cpePublicIpAddress}
  pre-shared-key address ${ipAddress2} key ${sharedSecret2}          

Configure Basic ISAKMP Options

These are optional configuration options:

crypto logging session
crypto isakmp fragmentation
crypto isakmp keepalive 10 10
crypto ipsec df-bit clear
crypto ipsec security-association replay window-size 128

Configure Base ISAKMP and IPSec Policies

crypto isakmp policy 1
 encr aes 256
 hash sha384
 authentication pre-share
 group 5
 lifetime 28800
crypto ipsec transform-set oracle_vpn_transform esp-aes 256 esp-sha-hmac 
 mode tunnel
crypto ipsec profile oracle_vpn
 set security-association dfbit clear
 set transform-set oracle_vpn_transform 
 set pfs group5

Configure ISAKMP and IPSec Peers

crypto isakmp profile oracle_vpn_${ipAddress1}
   keyring oracle-vpn-${ipAddress1}
   self-identity address
   match identity address ${ipAddress1} 255.255.255.255 
   keepalive 10 retry 10
crypto isakmp profile oracle_vpn_${ipAddress2}
   keyring oracle-vpn-${ipAddress2}
   self-identity address
   match identity address ${ipAddress2} 255.255.255.255 
   keepalive 10 retry 10

Configure Virtual Tunnel Interfaces

interface Tunnel${tunnelNumber1}
 ip tcp adjust-mss 1387
 tunnel source ${cpePublicIpAddress}
 tunnel mode ipsec ipv4
 tunnel destination ${ipAddress1}
 tunnel protection ipsec profile oracle_vpn
!
interface Tunnel${tunnelNumber2}
 tunnel source ${cpePublicIpAddress}
 tunnel mode ipsec ipv4
 tunnel destination ${ipAddress2}
 tunnel protection ipsec profile oracle_vpn

Update Any Internet Facing Access List to Allow IPSec and ISAKMP Packets

In order for the tunnels to come up, you need to open up udp port 500 and protocol esp to the interface with your CPE Public IP Address. Example:

interface GigabitEthernet0/1
 description INTERNET
 ip address ${cpePublicIpAddress} 255.255.255.252
ip access-group INTERNET-INGRESS in
 duplex auto
 speed auto
!

ip access-list extended INTERNET-INGRESS
 permit udp host ${ipAddress1} host ${cpePublicIpAddress} eq isakmp
 permit esp host ${ipAddress1} host ${cpePublicIpAddress}
 permit udp host ${ipAddress2} host ${cpePublicIpAddress} eq isakmp
 permit esp host ${ipAddress2} host ${cpePublicIpAddress}
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any unreachable

CPE to VCN Static Routes

The IPSec tunnels require static routes to get traffic to go through them. The routes are configured to point down the tunnel interfaces. If the IPSec tunnel is down, the Cisco router will stop using that route. You should redistribute these routes into your customer premise network.

ip route ${vcnCidrBlock} 255.0.0.0 Tunnel${tunnelNumber1}
ip route ${vcnCidrBlock} 255.0.0.0 Tunnel${tunnelNumber2}