Oracle Cloud Infrastructure Documentation

IPSec VPN Overview

One way to connect your on-premises network and your virtual cloud network (VCN) is to use an IPSec VPN. IPSec stands for Internet Protocol Security or IP Security. IPSec is a protocol suite that encrypts the entire IP traffic before the packets are transferred from the source to the destination.

This topic gives an overview of an IPSec VPN for your VCN. For scenarios that include an IPSec VPN, see Scenario B: Private Subnet with a VPN and Scenario C: Public and Private Subnets with a VPN.

Required Personnel and Knowledge

Typically the following types of personnel are involved in setting up an IPSec VPN with Oracle Cloud Infrastructure:

  • Dev Ops team member (or similar function) who uses the Oracle Cloud InfrastructureConsole to set up the cloud components required for the virtual network and IPSec VPN.
  • Network engineer (or similar function) who configures the on-premises router with information provided by the Dev Ops team member.


The Dev Ops team member must have the required permission to create and manage the cloud components. If the person is the default administrator for your Oracle Cloud Infrastructure tenancy or a member of the Administrators group, then they have the required permission. For information about restricting access to your networking components, see Access Control.

The personnel should be familiar with the following concepts and definitions:

cloud resources
Anything you provision on a cloud platform. For example, with Oracle Cloud Infrastructure, a cloud resource can refer to a VCN, compute instance, user, compartment, load balancer, or any other service component on the platform.
A widely used term in cloud technologies that refers to your traditional data center environments. On-premises can refer to a colocation scenario, a dedicated floor space, a dedicated data center building, or a desktop running under your desk.
oracle cloud identifier (ocid)
A unique identifier assigned to each resource that you provision on Oracle Cloud Infrastructure. The OCID is a long string that Oracle automatically generates. You can't choose the value for an OCID or change a resource's OCID. For more information, see Resource Identifiers.

About the Oracle IPSec VPN

In general, IPSec can be configured in the following modes:

  • Transport mode: IPSec encrypts and authenticates only the actual payload of the packet, and the header information stays intact.
  • Tunnel mode (supported by Oracle): IPSec encrypts and authenticates the entire packet. After encryption, the packet is then encapsulated to form a new IP packet that has different header information.

Oracle Cloud Infrastructure supports only the tunnel mode for IPSec VPNs.

Each Oracle IPSec VPN consists of multiple redundant IPSec tunnels that use static routes to route traffic. Border Gateway Protocol (BGP) is not supported for the Oracle IPSec VPN.


Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

IPSec VPN site-to-site tunnels offer the following advantages:

  • Public telecommunication lines are used to transmit data, so dedicated, expensive lease lines from one site to another aren't necessary.
  • The internal IP addresses of the participating networks and nodes are hidden from external users.
  • The entire communication between the source and destination sites is encrypted, significantly lowering the chances of information theft.

Overview of the IPSec VPN Components

If you're not already familiar with the basic Networking service components, see Overview of Networking before proceeding.

When you set up an IPSec VPN for your VCN, you must create several Networking components. You can create the components with either the Console or the API. See the following diagram and description of the components.

This image shows the components of an IPSec VPN

cpe object
At your end of the IPSec VPN is the actual router in your on-premises network (whether hardware or software). The term customer-premises equipment (CPE) is commonly used in some industries to refer to this type of on-premises equipment. When setting up the VPN, you must create a virtual representation of the router. Oracle calls the virtual representation a CPE, but this documentation typically uses the term CPE object to help distinguish the virtual representation from the actual on-premises router. The CPE object contains basic information about your router that Oracle needs.
dynamic routing gateway (drg)
At Oracle's end of the IPSec VPN is a virtual router called a dynamic routing gateway, which is the gateway into your VCN from your on-premises network. Whether you're using an IPSec VPN or Oracle Cloud Infrastructure FastConnect private virtual circuits to connect your on-premises network and VCN, the traffic goes through the DRG. For more information, see Dynamic Routing Gateways (DRGs).
A network engineer might think of the DRG as the VPN headend. After creating a DRG, you must attach it to your VCN, using either the Console or API. You must also add one or more route rules that route traffic from the VCN to the DRG. Without that DRG attachment and the route rules, traffic will not flow between your VCN and on-premises network. At any time, you can detach the DRG from your VCN but maintain all the remaining VPN components. You can then reattach the DRG, or attach it to another VCN.
ipsec connection
After creating the CPE object and DRG, you connect them by creating an IPSec connection, which results in multiple redundant IPSec tunnels. Oracle recommends that you configure your on-premises router to support all the tunnels in case one fails or Oracle takes one offline for maintenance. Each tunnel has configuration information that your network engineer needs when configuring your on-premises router (an IP address and secret key).

Access Control for the Components

For the purposes of access control, when you set up the IPSec VPN, you must specify the compartment where you want each of the components to reside. If you're not sure which compartment to use, put all the components in the same compartment as the VCN. For information about compartments and restricting access to your networking components, see Access Control.

Component Names and Identifiers

You can optionally assign a descriptive name to each of the components when you create them. These names don't have to be unique, although it's a best practice to use unique names across your tenancy. Avoid including confidential information in the names. Oracle automatically assigns each component an OCID. For more information, see Resource Identifiers.

About the Static Routes

When you create the IPSec connection for your VPN, you must specify one or more static routes. For example, you could specify the CIDR for your on-premises network, or the specific subnets within your network that need to communicate with your VCN. This section has suggestions for how to specify your static routes.


After you set up the IPSec VPN, you can't edit or expand the list of static routes associated with the tunnels.

To change the static routes would require you to delete the IPSec connection, re-create it, and then reconfigure your router.

  • For a proof of concept (POC): If you're just doing a simple POC with a single on-premises router, then having only a single static route of either or the CIDR of your on-premises network is sufficient. See Example: Setting Up a Proof of Concept IPSec VPN.
  • For a production network: Because you can't edit or expand the list of static routes associated with the tunnels, Oracle recommends including a static route in the list when you create your IPSec connection. That way you can later change or expand your on-premises network without touching your existing IPSec VPN, because you only need to update the VCN's route rules, which you can do at any time. The static route can be in lieu of or in addition to a static route for your overall on-premises network's CIDR (or a static route for each subnet that needs to communicate with your VCN). See Example Layout with Multiple Geographic Areas.
  • For port address translation (PAT): If you're doing PAT between your on-premises router and VCN, the static route for the IPSec connection is the PAT IP address. See Example Layout with PAT.

If You Use Both an IPSec VPN and FastConnect

If you set up both an IPSec VPN and a FastConnect private virtual circuit to the same DRG, consider that the IPSec VPN uses static routes but FastConnect uses BGP. Also consider the following points:

  • Oracle advertises a route for each of your VCN’s subnets over the FastConnect virtual circuit BGP session.
  • Oracle overrides the default route selection behavior to prefer BGP routes over static routes if a static route overlaps with a route advertised by your on-premises network.

What's Next?

See these related topics: