Oracle Cloud Infrastructure Documentation

Palo Alto

This configuration was validated using a PA-500 running PanOS version 6.0.6.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Parameters from API or Console

Get the following parameters from the Oracle Cloud Infrastructure Console or API.

${ipAddress#}

  • Oracle VPN headend IPSec tunnel endpoints. There is one value for each tunnel.
  • Example value: 129.146.12.52

${sharedSecret#}

  • The IPSec IKE pre-shared-key. There is one value for each tunnel.
  • Example value: EXAMPLEDPfAMkD7nTH3SWr6OFabdT6exXn6enSlsKbE

${cpeInterfaceName}

  • The name of the CPE interface where the CPE IP address is configured.
  • Example Value: ethernet1/1

${VcnCidrBlock}

  • When creating the VCN, your company selected this CIDR to represent the IP aggregate network for all VCN hosts.
  • Example Value: 10.0.0.0/20

Parameters Discovered from CPE Configuration

The following parameters are based on your current CPE configuration.

${tunnelUnit#}

  • Each tunnel needs a unit number that identifies that tunnel.
  • Example: 10, where 10 is the tunnelUnit for interface tunnel.10

${oracleSecurityZoneName}

  • The tunnels need to be placed inside a security zone that defines their access profile.
  • Example: "Oracle Cloud Infrastructure"
  • Note: The value must be enclosed in quotation marks.

${CpeVirtualRouterName}

  • The tunnels terminate into a virtual router in the Palo Alto. You can either terminate them into an existing virtual router, or configure a new virtual router.
  • Example Value: Oracle-virtual-router

ISAKMP Policy Options

IPSec Policy Options

Security Parameter Index

The values for the Security Parameter Index (SPI) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct SPI values to use, see Route-Based Versus Policy-Based IPSec.

Common ISAKMP and IPSec Profile Configuration

set network ike crypto-profiles ike-crypto-profiles oracle-bare-metal-cloud-ike encryption aes256
set network ike crypto-profiles ike-crypto-profiles oracle-bare-metal-cloud-ike hash sha384
set network ike crypto-profiles ike-crypto-profiles oracle-bare-metal-cloud-ike dh-group group5
set network ike crypto-profiles ike-crypto-profiles oracle-bare-metal-cloud-ike lifetime hours 8
set network ike crypto-profiles ipsec-crypto-profiles oracle-bare-metal-cloud-ipsec esp encryption aes256
set network ike crypto-profiles ipsec-crypto-profiles oracle-bare-metal-cloud-ipsec esp authentication sha1
set network ike crypto-profiles ipsec-crypto-profiles oracle-bare-metal-cloud-ipsec dh-group group5
set network ike crypto-profiles ipsec-crypto-profiles oracle-bare-metal-cloud-ipsec lifetime hours 1

ISAKMP Gateway Configuration

set network ike gateway oracle-gateway-${ipAddress1} authentication pre-shared-key key ${sharedSecret1}
set network ike gateway oracle-gateway-${ipAddress1} protocol-common nat-traversal enable no
set network ike gateway oracle-gateway-${ipAddress1} local-address interface ${cpeInterfaceName}
set network ike gateway oracle-gateway-${ipAddress1} peer-address ip ${ipAddress1}
set network ike gateway oracle-gateway-${ipAddress1} protocol ikev1 ike-crypto-profile oracle-bare-metal-cloud-ike

set network ike gateway oracle-gateway-${ipAddress2} authentication pre-shared-key key ${sharedSecret2}
set network ike gateway oracle-gateway-${ipAddress2} protocol-common nat-traversal enable no
set network ike gateway oracle-gateway-${ipAddress2} local-address interface ${cpeInterfaceName}
set network ike gateway oracle-gateway-${ipAddress2} peer-address ip ${ipAddress2}
set network ike gateway oracle-gateway-${ipAddress2} protocol ikev1 ike-crypto-profile oracle-bare-metal-cloud-ike

IPSec Configuration

set network tunnel ipsec oracle-ipsec-vpn-${ipAddress1} auto-key ike-gateway oracle-gateway-${ipAddress1} 
set network tunnel ipsec oracle-ipsec-vpn-${ipAddress1} auto-key ipsec-crypto-profile oracle-bare-metal-cloud-ipsec
set network tunnel ipsec oracle-ipsec-vpn-${ipAddress1} tunnel-monitor enable no
set network tunnel ipsec oracle-ipsec-vpn-${ipAddress1} tunnel-interface tunnel.${tunnelUnit1}

set network tunnel ipsec oracle-ipsec-vpn-${ipAddress2} auto-key ike-gateway oracle-gateway-${ipAddress2}
set network tunnel ipsec oracle-ipsec-vpn-${ipAddress2} auto-key ipsec-crypto-profile oracle-bare-metal-cloud-ipsec
set network tunnel ipsec oracle-ipsec-vpn-${ipAddress2} tunnel-monitor enable no
set network tunnel ipsec oracle-ipsec-vpn-${ipAddress2} tunnel-interface tunnel.${tunnelUnit2}

Virtual Router Configuration

Newer versions of PanOS support Equal-cost multipath routing (ECMP).

set network virtual-router ${CpeVirtualRouterName} interface [ tunnel.101 tunnel.102 ]
set network virtual-router ${CpeVirtualRouterName} routing-table ip static-route oracle-vpn-${ipAddress1} destination ${VcnCidrBlock}
set network virtual-router ${CpeVirtualRouterName} routing-table ip static-route oracle-vpn-${ipAddress1} interface tunnel.${tunnelUnit1}
set network virtual-router ${CpeVirtualRouterName} routing-table ip static-route oracle-vpn-${ipAddress1} metric 10
set network virtual-router ${CpeVirtualRouterName} routing-table ip static-route oracle-vpn-${ipAddress2} destination ${VcnCidrBlock}
set network virtual-router ${CpeVirtualRouterName} routing-table ip static-route oracle-vpn-${ipAddress2} interface tunnel.${tunnelUnit2}
set network virtual-router ${CpeVirtualRouterName} routing-table ip static-route oracle-vpn-${ipAddress2} metric 11

Security Zone Configuration

set zone ${oracleSecurityZoneName} network layer3 [ tunnel.101 tunnel.102 ]