Oracle Cloud Infrastructure Documentation

NEC IX Series

This configuration was validated using an IX3315 running Firmware Ver.10.1.16 and IX2106 running Firmware Ver.10.1.16.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Before Starting

Before configuring your CPE, make sure to:

  • Configure your internet provider settings.
  • Configure firewall rules to open UDP port 500, UDP port 4500, and ESP.

Supported Encryption Domain or Proxy ID

The values for the encryption domain (also known as a proxy ID, security parameter index (SPI), or traffic selector) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct encryption domain values to use, see Supported Encryption Domain or Proxy ID.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.

${ipAddress#} - one per tunnel

  • Oracle VPN headend IPSec tunnel endpoints.
  • Example values: 129.146.12.52, 129.146.13.52

${sharedSecret#} - one per tunnel

  • The IPSec IKE pre-shared-key.
  • Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

${cpePublicIpAddress}

  • The public IP address for the CPE (previously made available to Oracle via the Console).

${vcnCidrBlock}

  • When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.
  • Example Value: 10.0.0.0/20

Parameters Based on Current CPE Configuration and State

The following parameters are based on your current CPE configuration.

${tunnelNumber#} - one per tunnel

  • You will need one unused unit number per tunnel.
  • Example values: 1, 2

${ikePolicy#} - one per tunnel

  • You will need one unused IKE policy name per tunnel.
  • Example values: ike-policy1, ike-policy2

${ipsecPolicy#} - one per tunnel

  • You will need one unused autokey policy map name per tunnel.

  • Example values: ipsec-policy1, ipsec-policy2

${lanIpAddress}

  • The local IP address of your CPE.
  • Example value: 192.168.100.254

${lanInterfaceNumber}

  • The LAN interface of your CPE
  • Example value: 1.0

Config Template Parameter Summary

Each region has multiple Oracle IPSec headends. The template below allows you to set up multiple tunnels on your CPE, each to a corresponding headend. In the table below, "User" is you/your company.

Parameter Source Example Value
${ipAddress1} Console/API 129.146.12.52
${ipAddress2} Console/API 129.146.13.52
${sharedSecret1} Console/API (long string)
${sharedSecret2} Console/API (long string)

${cpePublicIpAddress}

User 203.0.113.1
${vcnCidrBlock} User 10.0.0.0/20
${tunnelNumber1} User 1
${tunnelNumber2} User 2
${ikePolicy1} User ike-policy1
${ikePolicy2} User ike-policy2
${ipsecPolicy1} User ipsec-policy1
${ipsecPolicy2} User ipsec-policy2
${lanInterfaceNumber} User 1.0
${lanIpAddress} User 192.168.100.254

Important

The following ISAKMP and IPSec policy parameter values are applicable to VPN Connect in the commercial cloud. For the Government Cloud, you must use the values listed in Required VPN Connect Parameters for Government Cloud.

Commercial Cloud: ISAKMP Policy Options

Commercial Cloud: IPSec Policy Options

CPE Configuration

Configure ISAKMP and IPSec Policies

ip access-list sec-list permit ip src any dest any
ike nat-traversal
!
ike proposal ike-prop encryption aes-256 hash sha2-256 group 1536-bit
ike policy ${ikePolicy1} peer ${ipAddress1} key ${sharedSecret1} ike-prop
ike policy ${ikePolicy2} peer ${ipAddress2} key ${sharedSecret2} ike-prop
!
ipsec autokey-proposal ipsec-prop esp-aes-256 esp-sha lifetime time 3600
ipsec autokey-map ${ipsecPolicy1} sec-list peer ${ipAddress1} ipsec-prop pfs 1536-bit
ipsec autokey-map ${ipsecPolicy2} sec-list peer ${ipAddress2} ipsec-prop pfs 1536-bit

Configure Keepalive Setting of ICMP

watch-group watch_tunnel1 10
  event 20 ip unreach-host ${lanIpAddress} Tunnel${tunnelNumber1} source GigaEthernet${lanInterfaceNumber}
  action 10 ip shutdown-route  ${vcnCidrBlock} Tunnel${tunnelNumber1}
  action 20 ipsec clear-sa Tunnel${tunnelNumber1}
!
network-monitor watch_tunnel1 enable
!
watch-group watch_tunnel2 10
  event 20 ip unreach-host ${lanIpAddress} Tunnel${tunnelNumber2} source GigaEthernet${lanInterfaceNumber}
  action 10 ip shutdown-route  ${vcnCidrBlock} Tunnel${tunnelNumber2}
  action 20 ipsec clear-sa Tunnel${tunnelNumber2}
!
network-monitor watch_tunnel2 enable

Configure Virtual Tunnel Interfaces

interface Tunnel${tunnelNumber1}
  tunnel mode ipsec
  ip unnumbered GigaEthernet${lanInterfaceNumber}
  ip tcp adjust-mss auto
  ipsec policy tunnel ipsec-policy1 out
  no shutdown
!
interface Tunnel${tunnelNumber2}
  tunnel mode ipsec
  ip unnumbered GigaEthernet${lanInterfaceNumber}
  ip tcp adjust-mss auto
  ipsec policy tunnel ipsec-policy2 out
  no shutdown

Configure Static Routes

ip ufs-cache enable
ip multipath per-flow
ip route  ${vcnCidrBlock} Tunnel0.0
ip route  ${vcnCidrBlock} Tunnel1.0