Oracle Cloud Infrastructure Documentation

Generic CPE Configuration Information

Oracle Cloud Infrastructure VPN service uses standards-based IPSec encryption. If your CPE device is not one that already has configuration information (see Device Configurations), use the information here to configure your device.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Supported Encryption Domain or Proxy ID

The values for the encryption domain (also known as a proxy ID, security parameter index (SPI), or traffic selector) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct encryption domain values to use, see Supported Encryption Domain or Proxy ID.

Supported Parameters for the Commercial Cloud

This section lists the supported parameters if your VPN Connect is for the commercial cloud. For a list of the commercial cloud regions, see Regions and Availability Domains.

Commercial Cloud: ISAKMP Policy Options

For some parameters, Oracle supports multiple values, and the recommended one is highlighted in red italics.

  • ISAKMP Protocol version 1
  • Exchange type: Main mode
  • Authentication method: pre-shared-keys
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
  • Authentication algorithm: SHA-384, SHA-256, SHA1 (also called SHA or SHA1-96)
  • Diffie-Hellman group: group 5, group 2, group 1
  • IKE session key lifetime: 28800 seconds (8 hours)

Commercial Cloud: IPSec Policy Options

For some parameters, Oracle supports multiple values, and the recommended one is highlighted in red italics.

  • IPSec protocol: ESP, tunnel-mode
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
  • Authentication algorithm: HMAC-SHA1-96
  • IPSec session key lifetime: 3600 seconds (1 hour)
  • Perfect Forward Secrecy (PFS): enabled, group 5

Supported Parameters for the Government Cloud

This section lists the supported parameters if your VPN Connect is for the Government Cloud. For more information, see Information for Oracle Cloud Infrastructure Government Cloud Customers.

Government Cloud: ISAKMP Policy Options

For some parameters, Oracle supports multiple values, and the recommended one is highlighted in red italics.

  • ISAKMP Protocol version 1
  • Exchange type: Main mode
  • Authentication method: pre-shared-keys
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
  • Authentication algorithm: SHA-384, SHA-256, SHA1 (also called SHA or SHA1-96)
  • Diffie-Hellman group: group 14, group 19, group 20
  • IKE session key lifetime: 28800 seconds (8 hours)

Government Cloud: IPSec Policy Options

For some parameters, Oracle supports multiple values, and the recommended one is highlighted in red italics.

  • IPSec protocol: ESP, tunnel-mode
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc, AES-128-gcm, AES-192-gcm, AES-256-gcm
  • Authentication algorithm: HMAC-SHA-256-128 (note that if you're using GCM encryption (Galois/Counter Mode), authentication is built into GCM)
  • IPSec session key lifetime: 3600 seconds (1 hour)
  • Perfect Forward Secrecy (PFS): enabled, group 14