Oracle Cloud Infrastructure Documentation

Supported IPSec Parameters

This topic lists the supported ISAKMP and IPSec configuration parameters for an IPSec VPN. Oracle chose these values to maximize security and to cover a wide range of CPE devices. For some parameters, Oracle supports multiple values, and the recommended one is highlighted in red italics. If your CPE device is not on the list of verified devices, use the information here to configure your device.


Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

ISAKMP Policy Options

  • ISAKMP Protocol version 1
  • Exchange type: Main mode
  • Authentication method: pre-shared-keys
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
  • Authentication algorithm: SHA-384, SHA-256, SHA1 (also called SHA or SHA1-96)
  • Diffie-Hellman group: group 5, group 2, group 1
  • IKE session key lifetime: 28800 seconds (8 hours)

IPSec Policy Options

  • IPSec protocol: ESP, tunnel-mode
  • Encryption: AES-256-cbc, AES-192-cbc, AES-128-cbc
  • Authentication algorithm: HMAC-SHA1-96
  • IPSec session key lifetime: 3600 seconds (1 hour)
  • Perfect Forward Secrecy (PFS): enabled, group 5

Security Parameter Index

The values for the Security Parameter Index (SPI) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct SPI values to use, see Route-Based Versus Policy-Based IPSec.