Oracle Cloud Infrastructure Documentation

Libreswan

Libreswan is an open-source IPSec implementation that is based on FreeS/WAN and Openswan. Most Linux distributions include Libreswan or make it easy to install. You can install it on hosts in either your on-premises network or a cloud provider network. For an example of setting up a Libreswan host in another cloud provider to connect to your Oracle Cloud Infrastructure VCN, see Access to Other Clouds with Libreswan.

This configuration was validated using Libreswan version 3.23-4.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Supported Encryption Domain or Proxy ID

The values for the encryption domain (also known as a proxy ID, security parameter index (SPI), or traffic selector) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct encryption domain values to use, see Supported Encryption Domain or Proxy ID.

Route-Based VPNs with Libreswan

Libreswan supports both route-based and policy-based tunnels. The tunnel types can coexist without interfering with each other. The Oracle VPN headends use route-based tunnels. Oracle recommends that you configure Libreswan with the Virtual Tunnel Interface (VTI) configuration syntax.

ISAKMP and IPSec Policy Options

Libreswan's default values for ISAKMP and IPSec policy options are compatible with Oracle's VPN headends in the commercial cloud. For more information about those policy options, see Generic CPE Configuration Information.

Important

For the Government Cloud, you must use the values listed in Required VPN Connect Parameters for the Government Cloud.

Default Libreswan Configuration Files

Libreswan configuration uses the concept of left and right to define the configuration parameters for your local CPE device and the remote gateway. Either side of the connection (the conn in the Libreswan configuration) can be left or right, but the configuration for that connection must be consistent. In this example:

  • left: your local Libreswan CPE
  • right: the Oracle VPN gateway

/etc/ipsec.conf and /etc/ipsec.secrets

The default Libreswan installation creates the following files:

  • etc/ipsec.conf: The root of the Libreswan configuration.
  • /etc/ipsec.secrets: The root of the location where Libreswan looks for secrets (the tunnel preshared keys).
  • /etc/ipsec.d/: A directory for storing the .conf and .secrets files for your Oracle Cloud Infrastructure tunnels (for example: oci-ipsec.conf and oci-ipsec.secrets). Libreswan encourages you to create these files in this folder.

The default etc/ipsec.conf file includes this line:

include /etc/ipsec.d/*.conf

The default etc/ipsec.secrets file includes this line:

include /etc/ipsec.d/*.secrets

These lines automatically merge all the.conf and .secrets files in the /etc/ipsec.d directory into the main configuration and secrets files that Libreswan uses.

Important

Do not change the default .conf and .secrets files unless you're experienced with Libreswan and know the implications.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.

${ipAddress#}

  • Oracle VPN headend IPSec tunnel endpoints. There is one value for each tunnel.
  • Example value: 129.146.12.52

${psk#}

  • The IPSec IKE pre-shared-key. There is one value for each tunnel.
  • Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

${cpePublicIpAddress}

  • The public IP address for the CPE (previously made available to Oracle via the Console).
  • Example value: 1.2.3.4

${VcnCidrBlock}

  • When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.
  • Example value: 10.0.0.0/20

Additional Configuration Parameters

${cpeLocalIP}

  • The IP address configured directly on your Libreswan host
  • If your CPE is not behind a 1-1 NAT, this value is the same as ${cpePublicIpAddress}
  • Example value:
    • If your CPE is not behind a 1-1 NAT: 1.2.3.4
    • If your CPE is behind a 1-1 NAT: 10.2.3.4

${vti#}

  • A name of your choice for the virtual tunnel interface. There is one value for each tunnel.
  • Example value: vti01

${markValue#}

  • These values are used to mark packets into the Libreswan host that match a particular virtual tunnel interface (vti).
  • Each mark value must be unique across the Libreswan host.
  • If the mark value is changed after the vti interface is created, you must remove and recreate the vti interface (see the procedure that follows).
  • Example value for each tunnel: 5/0xffffffff and 6/0xffffffff
To recreate the vti interfaces after changing mark values

Config Template Parameter Summary

Each region has multiple Oracle IPSec headends. The template that follows lets you set up multiple tunnels on your CPE, each to a corresponding headend. In the following table, "User" is you or your company.

Parameter Source Example Value
${ipAddress1} Console/API

129.146.12.52

${psk1} Console/API

(long string)

${ipAddress2} Console/API

129.146.13.52

${psk2} Console/API

(long string)

${VcnCidrBlock} User 10.0.0.0/20
${cpePublicIpAddress} User

1.2.3.4

${cpeLocalIP} User

If your CPE is not behind a 1-1 NAT: 1.2.3.4

If your CPE is behind a 1-1 NAT: 10.2.3.4

${vti1} User vti01
${vti2} User vti02
${markValue1} User 5/0xffffffff
${markValue2} User 6/0xffffffff

Setting Up Your Configuration File: /etc/ipsec.d/oci-ipsec.conf

Use the following template for your /etc/ipsec.d/oci-ipsec.conf file. The file defines the two tunnels that Oracle creates when you set up the IPSec connection.

Important

If your CPE is behind a 1-1 NAT device, uncomment the leftid parameter and set it equal to the ${cpePublicIpAddress}.

conn oracle-tunnel-1
     left=${cpeLocalIP}
     # leftid=${cpePublicIpAddress} # See preceding note about 1-1 NAT device
     right=${ipAddress1}
     authby=secret
     leftsubnet=0.0.0.0/0
     rightsubnet=0.0.0.0/0
     auto=start
     mark=${markValue1}
     vti-interface=${vti1}
     vti-routing=no
     encapsulation=no
     ikelifetime=28800s
     salifetime=3600s
conn oracle-tunnel-2
     left=${cpeLocalIP}
     # leftid=${cpePublicIpAddress} # See preceding note about 1-1 NAT device
     right=${ipAddress2}
     authby=secret
     leftsubnet=0.0.0.0/0
     rightsubnet=0.0.0.0/0
     auto=start
     mark=${markValue2}
     vti-interface=${vti2}
     vti-routing=no
     encapsulation=no
     ikelifetime=28800s
     salifetime=3600s

Setting Up Your Secrets File: /etc/ipsec.d/oci-ipsec.secrets

Use the following template for your /etc/ipsec.d/oci-ipsec.secrets file. It contains two lines per IPSec connection (one line per tunnel).

${cpePublicIpAddress} ${ipAddress1}: PSK "${psk1}"
${cpePublicIpAddress} ${ipAddress2}: PSK "${psk2}"

Reloading the Libreswan Configuration

After setting up your configuration and secrets files, you must restart the Libreswan service.

Important

Restarting the Libreswan service may impact existing tunnels.

The following command rereads the config file and restarts the Libreswan service. If you're logged in with an unprivileged user account, you might need to use sudo before the command.

service ipsec restart

Checking the Libreswan Status

Check the current state of your Libreswan tunnels by using the following command.

ipsec status

The tunnel is established if you see a line that includes the following:

STATE_MAIN_I4: ISAKMP SA established

In the future, if you need to open a support ticket with Oracle about your Libreswan tunnel, include the output of the preceding ipsec status command.

Checking the Tunnel Interface Status

Check if the virtual tunnel interfaces are up or down by using the ifconfig command or the ip link show command. You can also use applications such as tcpdump with the interfaces.

Here's an example of the ifconfig output:

ifconfig
<output trimmed>
				
vti01: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8980
     inet6 fe80::5efe:a00:2 prefixlen 64 scopeid 0x20<link>
     tunnel txqueuelen 1000 (IPIP Tunnel)
     RX packets 0 bytes 0 (0.0 B)
     RX errors 0 dropped 0 overruns 0 frame 0
     TX packets 0 bytes 0 (0.0 B)
     TX errors 10 dropped 0 overruns 0 carrier 10 collisions 0

vti02: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 8980
     inet6 fe80::5efe:a00:2 prefixlen 64 scopeid 0x20<link>
     tunnel txqueuelen 1000 (IPIP Tunnel)
     RX packets 0 bytes 0 (0.0 B)
     RX errors 0 dropped 0 overruns 0 frame 0
     TX packets 0 bytes 0 (0.0 B)
     TX errors 40 dropped 0 overruns 0 carrier 40 collisions 0

Here's an example of the ip link show output:

ip link show
<output trimmed>

9: vti01@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8980 qdisc noqueue
state UNKNOWN mode DEFAULT group default qlen 1000
   link/ipip 10.0.0.2 peer 129.213.240.52

10: vti02@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8980 qdisc noqueue
state UNKNOWN mode DEFAULT group default qlen 1000
   link/ipip 10.0.0.2 peer 129.213.240.51

Configuring IP Routing

Use the following ip command to create static routes that send traffic to your VCN through the IPSec tunnels. If you're logged in with an unprivileged user account, you might need to use sudo before the command.

ip route add ${VcnCidrBlock} nexthop dev ${vti1} nexthop dev ${vti2}
ip route show