Oracle Cloud Infrastructure Documentation

Supported IPSec Parameters

This topic lists the supported phase 1 (ISAKMP) and phase 2 (IPSec) configuration parameters for VPN Connect. Oracle chose these values to maximize security and to cover a wide range of CPE devices. If your CPE device is not on the list of verified devices, use the information here to configure your device.

Important

Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

Supported Encryption Domain or Proxy ID

The values for the encryption domain (also known as a proxy ID, security parameter index (SPI), or traffic selector) depend on whether your CPE supports route-based tunnels or policy-based tunnels. For more information about the correct encryption domain values to use, see Supported Encryption Domain or Proxy ID.

Supported Parameters for the Commercial Cloud

This section lists the supported parameters if your VPN Connect is for the commercial cloud. For a list of the commercial cloud regions, see Regions and Availability Domains.

For some parameters, Oracle supports multiple values, and the recommended one is highlighted in red italics.

Oracle supports the following parameters for IKEv1 or IKEv2. Check the documentation for your particular CPE to confirm which parameters the CPE supports for IKEv1 or IKEv2.

Phase 1 (ISAKMP)

Parameter Options
ISAKMP Protocol

Version 1

Exchange type

Main mode

Authentication method

Pre-shared keys

Encryption algorithm

AES-256-cbc

AES-192-cbc

AES-128-cbc

Authentication algorithm

SHA-2 384

SHA-2 256

SHA-1 (also called SHA or SHA1-96)

Diffie-Hellman group

group 1 (MODP 768)

group 2 (MODP 1024)

group 5 (MODP 1536)

group 14 (MODP 2048)

group 19 (ECP 256

group 20 (ECP 384) *

IKE session key lifetime

28800 seconds (8 hours)

* Group 20 will be supported in all Oracle Cloud Infrastructure regions very soon.

Phase 2 (IPSec)

Parameter Options
IPSec Protocol

ESP, tunnel mode

Encryption algorithm

AES-256-gcm

AES-192-gcm

AES-128-gcm

AES-256-cbc

AES-192-cbc

AES-128-cbc

Authentication algorithm

If using GCM (Galois/Counter Mode), no authentication algorithm is required because authentication is included with GCM encryption.

If not using GCM, these are supported:

HMAC-SHA-256-128

HMAC-SHA-196

IPSec session key lifetime

3600 seconds (1 hour)

Perfect Forward Secrecy (PFS)

enabled, group 5

Supported Parameters for the Government Cloud

This section lists the supported parameters if your VPN Connect is for the Government Cloud. For more information, see Information for Oracle Cloud Infrastructure Government Cloud Customers.

For some parameters, Oracle supports multiple values, and the recommended one is highlighted in red italics.

Oracle supports the following parameters for IKEv1 or IKEv2. Check the documentation for your particular CPE to confirm which parameters the CPE supports for IKEv1 or IKEv2.

Phase 1 (ISAKMP)

Parameter Options
ISAKMP protocol

Version 1

Exchange type

Main mode

Authentication method

Pre-shared keys

Encryption algorithm

AES-256-cbc

AES-192-cbc

AES-128-cbc

Authentication algorithm

SHA-2 384

SHA-2 256

SHA-1 (also called SHA or SHA1-96)

Diffie-Hellman group

group 14 (MODP 2048)

group 19 (ECP 256)

group 20 (ECP 384) *

IKE session key lifetime

28800 seconds (8 hours)

* Group 20 will be supported in all Oracle Cloud Infrastructure regions very soon.

Phase 2 (IPSec)

Parameter Options
IPSec protocol

ESP, tunnel mode

Encryption algorithm

AES-256-gcm

AES-192-gcm

AES-128-gcm

AES-256-cbc

AES-192-cbc

AES-128-cbc

Authentication algorithm

If using GCM (Galois/Counter Mode), no authentication algorithm is required because authentication is included with GCM encryption.

If not using GCM, use HMAC-SHA-256-128.

IPSec session key lifetime

3600 seconds (1 hour)

Perfect Forward Secrecy (PFS)

enabled, group 14