Using the VPN Connect workflow is the quickest way to set up an IPSec VPN between your on-premises network and your A virtual version of a traditional network—including CIDRs, subnets, route tables, and gateways—on which your instance runs.. The workflow is a guided, step-by-step process in the Console that sets up the IPSec VPN plus related Networking service components.
Purpose of the Workflow
VPN Connect involves setting up and configuring several Networking service components. The purpose of the workflow is to set up those components for you. In general, the workflow does the following:
- Uses a template with assumptions that will help you get started.
- Asks you for some basic network information.
- Sets up the Networking service components for you.
The workflow is a task within the overall process of setting up VPN Connect, which is illustrated in the following diagram. The workflow is the shaded box.
Notice that the overall process includes work by a network engineer in your organization. That engineer provides information that you, in turn, must supply during the workflow. The workflow returns information that the network engineer needs when configuring your CPE device.
The following short sections summarize each task.
To make it easier to gather the following information, here is a PDF version of the list, which you can print.
- CPE device's public IP address.
- If the CPE is behind a NAT device, get the CPE IKE identifier. For more information, see If Your CPE Is Behind a NAT Device.
- On-premises network routes.
- If you use BGP dynamic routing with the VPN:
- Your network's BGP ASN
- For each of the two IPSec tunnels that will be created, the pair of BGP IP addresses (with subnet mask) that you want to use for the inside tunnel interfaces at the ends of each tunnel. For example:
- Tunnel 1: Inside tunnel interface - CPE: 10.0.0.8/31
- Tunnel 1: Inside tunnel interface - Oracle: 10.0.0.9/31
- Tunnel 2: Inside tunnel interface - CPE: 10.0.0.16/31
- Tunnel 2: Inside tunnel interface - Oracle: 10.0.0.17/31
- The CIDR to use for the VCN. For the workflow, the allowed VCN size is /16 to /24. The CIDR must not overlap with your on-premises network.
- For each IPSec tunnel, the Oracle VPN IP address and shared secret.
- The supported IPSec parameter values.
- CPE-specific configuration information.
Your network engineer takes the information you provide and configures your CPE device.
You and the network engineer test the connection and confirm that traffic is flowing.
- You do not already have a VCN: The workflow automatically creates a VCN for you, along with related resources. If you instead have an existing VCN that you want to set up VPN Connect for, you can follow the step-by-step instructions in Setting Up VPN Connect.
- You want an internet gateway for easy initial access to the VCN: The workflow automatically adds an internet gateway to make it easy for you to quickly create an instance in the VCN and connect to it over the internet. You can delete this internet gateway later if you don't want it.
Alternative to the Workflow
If the workflow does not meet your specific needs (for example, if you already have a VCN), you can manually set up VPN Connect yourself. For step-by-step instructions, see Setting Up VPN Connect.
The workflow assumes that you start with only on-premises network and a CPE device. The workflow creates the numbered components in the diagram for you. The table describes each component.
|Number||Component||Description||Can Use Existing One or Create New One?|
|1||CPE||A CPE is a virtual representation of your actual CPE device. This virtual representation contains basic information such as the CPE device's public IP address.||Yes, you can either use an existing CPE or the workflow creates a new one.|
|2||Dynamic routing gateway (DRG)||A DRG is a virtual representation of the actual router at the Oracle end of your VPN Connect.||Yes. If you use an existing one, it must not already be attached to a VCN.|
|3||VCN||A VCN is the extension of your on-premises network into the cloud. You can later add Compute instances and other cloud resources to your VCN.||No. The workflow automatically creates a new VCN.|
|4||Subnet||A subnet is a subdivision within the VCN. The workflow creates a regional A subnet in which instances are allowed to have public IP addresses. When you launch an instance in a public subnet, you specify whether the instance should have a public IP address.. You can later add more subnets later if you like.||No. The workflow automatically creates the subnet in the new VCN.|
|5||Internet gateway||An internet gateway is a virtual representation of the actual router that gives your VCN access to the internet. Although this gateway is not necessary for VPN Connect, the workflow creates it to make it easy for you to quickly access any instances or other cloud resources you later create in the VCN. You can delete the internet gateway later if you like.||No. The workflow automatically creates an internet gateway for the new VCN.|
|6||Default route table with rules||
The VCN automatically comes with a default route table. The workflow configures the subnet to use this route table and adds two types of rules:
You can edit the rules or add more later if you want.
|No. The new VCN automatically comes with this component.|
|7||Default security list with rules||The VCN automatically comes with a default security list. The workflow configures the subnet to use this security list, which automatically comes with default rules to enable basic traffic flow. The workflow also adds one or more rules to allow all types of traffic from your on-premises network. There's one rule per on-premises network route that you provide in the workflow. Notice that the security list does not include rules to allow ping.||No. The new VCN automatically comes with this component.|
|8||VPN Connect IPSec tunnels||
The workflow creates two IPSec tunnels, each with specific configuration information that you must provide to your network engineer.
Note: The workflow uses IKEv1 for the tunnels. If you want to use IKEv2 instead, after creating the IPSec connection, edit each tunnel in the Oracle Console to use IKEv2. Then configure your CPE to use only IKEv2 and related IKEv2 encryption parameters that your CPE supports. For more information, see Using IKEv2.
|No. The workflow automatically creates the tunnels.|
In the Console, click the Oracle Cloud icon at the top of the page to go to the Console home page.
The page has a Quick Actions section to take you directly to common tasks.
Click the quick action for Networking Solutions: Create an IPSec VPN connection.
The workflow starts.