Oracle Cloud Infrastructure Documentation

FortiGate

This configuration was validated using a FortiGate-VM running v5.4.1,build1064 (GA).

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.

${ipAddress#}

  • Oracle VPN headend IPSec tunnel endpoints. There is one value for each tunnel.
  • Example value: 129.146.12.52

${sharedSecret#}

  • The IPSec IKE pre-shared-key. There is one value for each tunnel.
  • Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

${cpePublicIpAddress}

  • The public IP address for the CPE (previously made available to Oracle via the Console).

${VcnCidrBlock}

  • When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.
  • Example Value: 10.0.0.0/20

Parameters Based on Current CPE Configuration and State

The following parameters need to be discovered by examining your CPE's current configuration and finding valid parameter values that do not overlap with the current CPE configuration.

${cpePublicInterface}

  • The name of the FortiGate interface where the CPE IP address is configured.
  • Example value: ge-0/0/1.0

${policyId#}

  • Index integers, must be unique per rule.
  • Requires two per IPSecConnection tunnel.
  • Example below for two tunnels requires four unique policyId numbers.
  • Example value: 101

Additional Configuration Parameters

The Fortinet config requires the following additional variables:

${vcnID}

  • A UUID string used to uniquely name some access-lists and object-groups (can also use any other string that does not create a name that conflicts with an existing object-group or access-list).
  • Example: oracle-vcn-1

${VcnCidrNetwork} and ${VcnCidrNetmask}

  • These are the base address and netmask of your VCN Cidr Block
  • For more information, see: Wikipedia reference for finding CidrNetmask
  • Values based on the example ${VcnCidrBlock} shown above:
    • ${VcnCidrNetwork}: 10.0.0.0
    • ${VcnCidrNetmask}: 255.255.0.0

Config Template Parameter Summary

Each region has multiple Oracle IPSec headends. The template below will allow setting up multiple tunnels on your CPE, each to a corresponding headend. In the table below, "User" is you/your company.

Parameter Source Example Value
${ipAddress1} Console/API 129.146.12.52
${sharedSecret1} Console/API (long string)
${ipAddress2} Console/API 129.146.13.52
${sharedSecret2} Console/API (long string)
${cpePublicInterface} User CPE port1
${policyId1} User CPE 101
${policyId2} User CPE 102
${policyId3} User CPE 103
${policyId4} User CPE 104
${VcnId} User/Console myVCN1
${VcnCidrNetwork} User 10.0.0.0
${VcnCidrNetmask} User 255.255.0.0

ISAKMP Policy Options

IPSec Policy Options

Security Parameter Index

The values for the Security Parameter Index (SPI) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct SPI values to use, see Route-Based Versus Policy-Based IPSec.

CPE Configuration

Firewall Configuration

The configuration example below would allow all traffic from your VCN to any host on your network.

config firewall address
    edit any_ipv4
    next
    edit OracleVcn-${VcnId}_remote_subnet
        set subnet ${VcnCidrNetwork} ${VcnCidrNetmask}
    next
end

config firewall addrgrp
    edit OracleVcn-${VcnId}_local
        set member any_ipv4
    next
    edit OracleVcn-${VcnId}_remote
        set member OracleVcn-${VcnId}_remote_subnet
    next
end
config firewall policy
    edit ${policyId1}
        set name vpn_${ipAddress1}_local
        set srcintf ${cpePublicInterface}
        set dstintf ${ipAddress1}
        set srcaddr OracleVcn-${VcnId}_local
        set dstaddr OracleVcn-${VcnId}_remote
        set action accept
        set schedule always
        set service ALL
        set comments "VPN: Oracle ${ipAddress1}"
    next
    edit ${policyId2}
        set name vpn_${ipAddress1}_remote
        set srcintf {ipAddress1}
        set dstintf ${cpePublicInterface}
        set srcaddr OracleVcn-${VcnId}_remote
        set dstaddr OracleVcn-${VcnId}_local
        set action accept
        set schedule always
        set service ALL
        set comments "VPN: Oracle ${ipAddress1}"
    next
    edit ${policyId3}
        set name vpn_${ipAddress2}_local
        set srcintf ${cpePublicInterface}
        set dstintf ${ipAddress2}
        set srcaddr OracleVcn-${VcnId}_local
        set dstaddr OracleVcn-${VcnId}_remote
        set action accept
        set schedule always
        set service ALL
        set comments "VPN: Oracle ${ipAddress2}"
    next
    edit ${policyId4}
        set name vpn_${ipAddress2}_remote
        set srcintf ${ipAddress2}
        set dstintf ${cpePublicInterface}
        set srcaddr OracleVcn-${VcnId}_remote
        set dstaddr OracleVcn-${VcnId}_local
        set action accept
        set schedule always
        set service ALL
        set comments "VPN: Oracle ${ipAddress2}"
    next
end

Configure ISAKMP Phase 1

config vpn ipsec phase1-interface
    edit ${ipAddress1}
        set interface ${cpePublicInterface}
        set keylife 28800
        set proposal aes256-sha384 aes256-sha256
        set comments "VPN: Oracle ${ipAddress1}"
        set dhgrp 5
        set remote-gw ${ipAddress1}
        set psksecret ${sharedSecret1}
    next
    edit ${ipAddress2}
        set interface ${cpePublicInterface}
        set keylife 28800
        set proposal aes256-sha384 aes256-sha256
        set comments "VPN: Oracle ${ipAddress2}"
        set dhgrp 5
        set remote-gw ${ipAddress2}
        set psksecret ${sharedSecret2}
    next
end

Configure IPSec - ISAKMP Phase 2

config vpn ipsec phase2-interface
    edit ${ipAddress1}
        set phase1name ${ipAddress1}
        set proposal aes256-sha1
        set dhgrp 5
        set replay disable
        set auto-negotiate enable
        set comments "VPN: Oracle ${ipAddress1}"
        set keylifeseconds 3600
    next
    edit ${ipAddress2}
        set phase1name ${ipAddress2}
        set proposal aes256-sha1
        set dhgrp 5
        set replay disable
        set auto-negotiate enable
        set comments "VPN: Oracle ${ipAddress2}"
        set keylifeseconds 3600
    next
end

Configure Static Routes to Your VCN

config router static
    edit 1
        set dst ${VcnCidrNetwork} ${VcnCidrNetmask}
        set device ${ipAddress1}
        set comment "Oracle VPN-${ipAddress1}"
    next
    edit 2
        set dst ${VcnCidrNetwork} ${VcnCidrNetmask}
        set device ${ipAddress2}
        set comment "Oracle VPN-${ipAddress2}"
    next
end