Oracle Cloud Infrastructure Documentation

Juniper MX

This configuration was validated using a Juniper MX 240 running Junos 15.1.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.

${ipAddress#}

  • Oracle VPN headend IPSec tunnel endpoints. There is one value for each tunnel.
  • Example value: 129.146.12.52

${sharedSecret#}

  • The IPSec IKE pre-shared-key. There is one value for each tunnel.
  • Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

${cpePublicIpAddress}

  • The public IP address for the CPE (previously made available to Oracle via the Console).

${VcnCidrBlock}

  • When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.
  • Example Value: 10.0.0.0/20

Parameters Based on Current CPE Configuration and State

The following parameters need to be discovered by examining your CPE's current configuration and finding valid parameter values that do not overlap with the current CPE configuration.

${cpePublicInterface}

  • The name of the Juniper interface where the CPE IP address is configured.
  • Example value: ge-0/0/1.0

${msInterface#} - one per tunnel

  • These interfaces correspond to one of the four encryption ASICs on the MS-MPC card.
  • You can distribute load across the ASICs by spreading your tunnels across them.
  • Example values: ms-2/3/0, ms-2/3/1

${insideMsUnit1} and ${outsideMsUnit1} - one pair per tunnel

  • For every tunnel, you will need an ms-mpc interface pair of units.
  • One represents the outside of the IPSec tunnel.
  • The other the inside of the tunnel.
  • The router forwards packets from your on-premises network to your VCN into the inside unit.
    • The encryption ASIC then encrypts the packets based on the rules and policies.
    • Then, the encrypted packet egresses out the outside unit as an ESP packet, ready to be forwarded to Oracle's VPN headend routers.
  • There are a little over 16,000 possible values for unit numbers.
    • One way to allocate the units is to offset them by 8,000.
    • You can pick values between 0 - 7999 for insideMsUnits and 8000-15999 for outsideMsUnits.

Config Template Parameter Summary

Each region has multiple Oracle IPSec headends. The template below will allow setting up multiple tunnels on your CPE, each to a corresponding headend. In the table below, "User" is you/your company.

Parameter Source Example Value
${ipAddress1} Console/API 129.146.12.52
${sharedSecret1} Console/API (long string)
${ipAddress2} Console/API 129.146.13.52
${sharedSecret2} Console/API (long string)
${cpePublicIpAddress} User 1.2.3.4
${msInterface1} User ms-2/3/0
${msInterface2} User ms-2/3/1
${insideMsUnit1} User 101
${insideMsUnit2} User 102
${outsideMsUnit1} User 8101
${outsideMsUnit2} User 8102
${VcnCidrBlock} User 10.0.0.0/16

ISAKMP Policy Options

IPSec Policy Options

Security Parameter Index

The values for the Security Parameter Index (SPI) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct SPI values to use, see Route-Based Versus Policy-Based IPSec.

CPE Configuration

Note on routing-instances: If you are using routing-instances on your CPE, you need to make sure you account for them in your configuration. The main configuration template below does not account for routing-instances, so you would need to merge the following config excerpt into the non-routing-instance templates.

routing-instances {
    ${customer premise routing instance} {
        interface ${msInterface1}.${insideMsUnit1};
        interface ${msInterface2}.${insideMsUnit2};
        routing-options {
            static {
                route ${vcnCidrBlock} next-hop [ ${msInterface1}.${insideMsUnit1} ${msInterface2}.${insideMsUnit2} ]
            }
        }
    }
    ${internet-routing-instance} {
        interface ${msInterface1}.${insideMsUnit1};
        interface ${msInterface2}.${insideMsUnit2};
    }
}
services {
    service-set oracle-vpn-tunnel-${ipAddress1} {
        ipsec-vpn-options {
            local-gateway ${cpePublicIpAddress} routing-instance ${internet-routing-instance};
        }
    }
    service-set oracle-vpn-tunnel-${ipAddress2} {
        ipsec-vpn-options {
            local-gateway ${cpePublicIpAddress} routing-instance ${internet-routing-instance};
        }
    }        
    service-set oracle-vpn-tunnel-${ipAddress2} {
        ipsec-vpn-options {
            local-gateway ${cpePublicIpAddress} routing-instance ${internet-routing-instance};
        }
    }
}

Tunnel Interface Configuration

This configures the Juniper MX interfaces that represent the "inside" and "outside" of the IPSec tunnels. There is one pair of interface/units per tunnel. The unit numbers must be unique on your router.

interfaces {
    ${msInterface1} {
        unit ${insideMsUnit1} {
            description oracle-vpn-tunnel-${ipAddress1}-INSIDE;
            family inet;
            service-domain inside;
        }
        unit ${outsideMsUnit1} {
            description oracle-vpn-tunnel-${ipAddress1}-OUTSIDE;
            family inet;
            service-domain outside;
        }
    }
    ${msInterface2} {
        unit ${insideMsUnit2} {
            description oracle-vpn-tunnel-${ipAddress2}-INSIDE;
            family inet;
            service-domain inside;
        }
        unit ${outsideMsUnit2} {
            description oracle-vpn-tunnel-${ipAddress2}-OUTSIDE;
            family inet;
            service-domain outside;
        }
    }
}

CPE to VCN Static Routes

The IPSec tunnels require static routes to get traffic to go through them. The routes are configured to point down the tunnel interfaces. If the IPSec tunnel is down, the Juniper MX will stop using that route. You should redistribute these routes into your customer premise network.

routing-options {
    static {
        route ${vcnCidrBlock} next-hop [ ${msInterface1}.${insideMsUnit1} ${msInterface2}.${insideMsUnit2} ]
    }
}

Services Configuration

The IPSec tunnels are configured in this section.

services {
    service-set oracle-vpn-tunnel-${ipAddress1} {
        next-hop-service {
            inside-service-interface ${msInterface1}.${insideMsUnit1};
            outside-service-interface ${msInterface1}.${outsideMsUnit1};
        }
        ipsec-vpn-options {
            local-gateway ${cpePublicIpAddress}
        }
        ipsec-vpn-rules oracle-vpn-tunnel-${ipAddress1};
    }
    service-set oracle-vpn-tunnel-${ipAddress2} {
        next-hop-service {
            inside-service-interface ${msInterface2}.${insideMsUnit2};
            outside-service-interface ${msInterface2}.${outsideMsUnit2};
        }
        ipsec-vpn-options {
            local-gateway ${cpePublicIpAddress}
        }
        ipsec-vpn-rules oracle-vpn-tunnel-${ipAddress2};
    }
    ipsec-vpn {
        rule oracle-vpn-tunnel-${ipAddress1} {
            term 1 {
                from {
                    ipsec-inside-interface ${msInterface1}.${insideMsUnit1};
                }
                then {
                    remote-gateway ${ipAddress1};
                    dynamic {
                        ike-policy ike-policy-${ipAddress1};
                        ipsec-policy oracle-ike-policy;
                    }
                    tunnel-mtu 1420;
                    initiate-dead-peer-detection;
                    dead-peer-detection {
                        interval 5;
                        threshold 4;
                    }
                }
            }
            match-direction input;
        }
        rule oracle-vpn-tunnel-${ipAddress2} {
            term 1 {
                from {
                    ipsec-inside-interface ${msInterface2}.${insideMsUnit2};
                }
                then {
                    remote-gateway ${ipAddress2};
                    dynamic {
                        ike-policy ike-policy-${ipAddress2};
                        ipsec-policy oracle-ike-policy;
                    }
                    tunnel-mtu 1420;
                    initiate-dead-peer-detection;
                    dead-peer-detection {
                        interval 5;
                        threshold 4;
                    }
                }
            }
            match-direction input;
        }
        ipsec {
            proposal esp-aes256-sha1 {
                protocol esp;
                authentication-algorithm hmac-sha1-96;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 3600;
            }
            policy oracle-ipsec-policy {
                perfect-forward-secrecy {
                    keys group5;
                }
                proposals [ esp-aes256-sha1 ];
            }
        }
        ike {
            proposal aes256-sha384-group5 {
                authentication-method pre-shared-keys;
                dh-group group5;
                authentication-algorithm sha-384;
                encryption-algorithm aes-256-cbc;
                lifetime-seconds 28800;
            }
            policy oracle-ike-policy-${ipAddress1} {
                mode main;
                version 1;
                proposals [ aes256-sha384-group5 ];
                local-id ipv4_addr ${cpePublicIpAddress};
                remote-id ipv4_addr ${ipAddress1};
                pre-shared-key ascii-text ${sharedSecret1};
            }
            policy oracle-ike-policy-${ipAddress2} {
                mode main;
                version 1;
                proposals [ aes256-sha384-group5 ];
                local-id ipv4_addr ${cpePublicIpAddress};
                remote-id ipv4_addr ${ipAddress2};
                pre-shared-key ascii-text ${sharedSecret2};

            }
        }
    }
}