Oracle Cloud Infrastructure Documentation

Generic CPE Configuration Information

Oracle Cloud Infrastructure VPN service uses standards-based IPSec encryption. If your CPE device is not one that already has configuration information (see Device Configurations), use the information here to configure your device.


Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

ISAKMP Policy Options

  • ISAKMP Protocol version 1
  • Exchange type: Main mode
  • Authentication method: pre-shared-keys
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
  • Authentication algorithm: SHA-384, SHA-256, SHA1 (also called SHA or SHA1-96)
  • Diffie-Hellman group: group 5, group 2, group 1
  • IKE session key lifetime: 28800 seconds (8 hours)

IPSec Policy Options

  • IPSec protocol: ESP, tunnel-mode
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
  • Authentication algorithm: HMAC-SHA1-96
  • IPSec session key lifetime: 3600 seconds (1 hour)
  • Perfect Forward Secrecy (PFS): enabled, group 5

Security Parameter Index

The values for the Security Parameter Index (SPI) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct SPI values to use, see Route-Based Versus Policy-Based IPSec.