Oracle Cloud Infrastructure Documentation

Juniper SRX

This configuration was validated using a Juniper SRX 240 running 12.1X44-D35.5.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Supported Encryption Domain or Proxy ID

The values for the encryption domain (also known as a proxy ID, security parameter index (SPI), or traffic selector) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct encryption domain values to use, see Supported Encryption Domain or Proxy ID.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.

${ipAddress#}

  • Oracle VPN headend IPSec tunnel endpoints. There is one value for each tunnel.
  • Example value: 129.146.12.52

${sharedSecret#}

  • The IPSec IKE pre-shared-key. There is one value for each tunnel.
  • Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

${cpePublicIpAddress}

  • The public IP address for the CPE (previously made available to Oracle via the Console).

${VcnCidrBlock}

  • When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.
  • Example Value: 10.0.0.0/20

Parameters Based on Current CPE Configuration and State

The following parameters need to be discovered by examining your CPE's current configuration and finding valid parameter values that do not overlap with the current CPE configuration.

${cpePublicInterface}

  • The name of the Juniper interface where the CPE IP address is configured.
  • Example value: ge-0/0/1.0

${tunnelUnit#} - one per tunnel

  • You will need multiple tunnel unit numbers per IPSec connection.
  • One per IPSec tunnel.
  • Oracle recommends setting up all Oracle configured tunnels for maximum redundancy.
  • The Juniper SRX uses the st0 interface for IPSec tunnels.
  • Example values: 1, 2

Juniper Security Zones

  • Juniper SRX has the concept of "security zones".
  • You will need two different security zones for your VPN.

${InsideZoneName}

  • This zone contains the interfaces that are part of your internal network that need to reach resources in your Oracle VCN.

${OracleVpnZoneName}

  • This zone contains the interfaces that are part of the Oracle Cloud Infrastructure network.
  • This includes the inside of the IPSec tunnel interfaces.

${InternetSecurityZoneName}

  • This is the zone that includes your ${cpePublicInterface}.

Config Template Parameter Summary

Each region has multiple Oracle IPSec headends. The template below will allow setting up multiple tunnels on your CPE, each to a corresponding headend. In the table below, "User" is you/your company.

Parameter Source Example Value
${ipAddress1} Console/API 129.146.12.52
${sharedSecret1} Console/API (long string)
${ipAddress2} Console/API 129.146.13.52
${sharedSecret2} Console/API (long string)
${cpePublicInterface} User ge-0/0/1.0
${tunnelUnit1} User 1
${tunnelUnit2} User 2
${OracleVpnZoneName} User oracle-vpn
${InternetSecurityZoneName} User INTERNET
${VcnCidrBlock} User 10.0.0.0/16

Important

The following ISAKMP and IPSec policy parameter values are applicable to VPN Connect in the commercial cloud. For the Government Cloud, you must use the values listed in Required VPN Connect Parameters for the Government Cloud.

ISAKMP Policy Options

IPSec Policy Options

CPE Configuration

Tunnel Interface Configuration

This configures the Juniper SRX interfaces that represent the "inside" of the IPSec tunnels. There is one interface/unit per tunnel.

interfaces {
    st0 {
        unit ${tunnelUnit1} {
            family inet;
        }
        unit ${tunnelUnit2} {
            family inet;
        }
    }
}

CPE to VCN Static Routes

The IPSec tunnels require static routes to get traffic to go through them. The routes are configured to point down the tunnel interfaces. If the IPSec tunnel is down, the Juniper SRX will stop using that route. You should redistribute these routes into your customer premise network.

routing-options {
    static {
        route ${VcnCidrBlock} next-hop [ st0.${tunnelUnit1} st0.${tunnelUnit2} ];
    }
}

Security Policy

The security policy consists of four sections:

  • ike: IKE policy parameters.
  • ipsec: IPSec policy parameters.
  • zones: Defines Juniper zones and place interfaces into logical zones.
  • policies: Defines what traffic is permitted in and out of and between zones.
security {
    ike {
        proposal oracle-ike-proposal {
            authentication-method pre-shared-keys;
            dh-group group5;
            authentication-algorithm sha-384;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 28800;
        }
        policy ike_pol_oracle-vpn-${ipAddress1} {
            mode main;
            proposals oracle-ike-proposal;
            pre-shared-key ascii-text ${sharedSecret1}
        }
        policy ike_pol_oracle-vpn-${ipAddress2} {
            mode main;
            proposals oracle-ike-proposal;
            pre-shared-key ascii-text ${sharedSecret2}
        }                     
        gateway gw_oracle-${ipAddress1} {
            ike-policy ike_pol_oracle-vpn-${ipAddress1};
            address ${ipAddress1};
            dead-peer-detection;
            external-interface ${cpePublicInterface};
        }
        gateway gw_oracle-${ipAddress2} {
            ike-policy ike_pol_oracle-vpn-${ipAddress2};
            address ${ipAddress2};
            dead-peer-detection;
            external-interface ${cpePublicInterface};
        }
    }
    ipsec {
        vpn-monitor-options;
        proposal oracle-ipsec-proposal {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm aes-256-cbc;
            lifetime-seconds 3600;
        }
        policy ipsec_pol_oracle-vpn {
            perfect-forward-secrecy {
                keys group5;
            }
            proposals oracle-ipsec-proposal;
        }
        vpn oracle-vpn-${ipAddress1} {
            bind-interface st0.${tunnelUnit1};
            vpn-monitor;
            ike {
                gateway gw_oracle-${ipAddress1};
                ipsec-policy ipsec_pol_oracle-vpn;
            }
            establish-tunnels immediately;
        }
        vpn oracle-vpn-${ipAddress2} {
            bind-interface st0.${tunnelUnit2};
            vpn-monitor;
            ike {
                gateway gw_oracle-${ipAddress2};
                ipsec-policy ipsec_pol_oracle-vpn;
            }
            establish-tunnels immediately;
        }                      
    }
    policies {
        from-zone ${InsideZoneName} to-zone ${OracleVpnZoneName} {
            policy new_vpn-out {
                match {
                    source-address any-ipv4;
                    destination-address any-ipv4;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
            policy vpn-out {
                match {
                    source-address any-ipv4;
                    destination-address any-ipv4;
                    application any;
                    source-identity any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone ${OracleVpnZoneName} {
            interfaces {
                st0.${tunnelUnit1} {
                    host-inbound-traffic {
                        protocols {
                            bgp;
                        }
                    }
                }
                st0.${tunnelUnit2} {
                    host-inbound-traffic {
                        protocols {
                            bgp;
                        }
                    }
                }                                       
            }
        }
        security-zone ${InternetSecurityZoneName} {
            interfaces {
                ${cpePublicInterface} {
                    host-inbound-traffic {
                        system-services {
                            ike;
                            ping;
                        }
                    }
                }
            }
        }
    }
}