Oracle Cloud Infrastructure Documentation

Working with VPN Connect

This topic contains some details about working with VPN Connect and the related components. Also see these topics:

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Viewing Tunnel Status and Configuration

When you successfully create the IPSec connection, Oracle produces important configuration information for each of the resulting IPSec tunnels. For example, see task 2h in the overall setup process. You can view that information and the status of the tunnels at any time. This includes the BGP status if the tunnel is configured to use BGP dynamic routing.

To view the status and configuration information for the IPSec tunnels

Changing the Static Routes

You can change the static routes for an existing IPSec connection. You can provide up to 10 static routes.

Remember that an IPSec connection can use either static routing or BGP dynamic routing. You associate the static routes with the overall IPSec connection and not the individual tunnels. If an IPSec connection has static routes associated with it, Oracle uses them for routing a tunnel's traffic only if the tunnel itself is configured to use static routing. If it's configured to use BGP dynamic routing, the IPSec connection's static routes are ignored.

Important

The IPSec connection goes down while it is reprovisioned with your static route changes.

To edit the static routes

Changing the CPE IKE Identifier That Oracle Uses

If your CPE is behind a NAT device, you might need to give Oracle your CPE IKE identifier. You can either specify it when you create the IPSec connection, or later edit the IPSec connection and change the value. Oracle expects the value to be an IP address or fully qualified domain name (FQDN). When you specify the value, you also specify which type it is.

Important

The IPSec connection goes down while it is reprovisioned to use your CPE IKE identifier.

To change the CPE IKE identifier that Oracle uses

Changing the Shared Secret That an IPSec Tunnel Uses

When you set up an IPSec VPN, by default Oracle provides each tunnel's shared secret (also called the pre-shared key). You might have a particular shared secret that you want to use instead. You can specify each tunnel's shared secret when you create the IPSec connection, or you can edit the tunnels and provide each new shared secret then. For the shared secret, only numbers, letters, and spaces are allowed. Oracle recommends using a different shared secret for each tunnel.

Important

When you change a tunnel's shared secret, both the overall IPSec connection and the tunnel go into the Provisioning state while the tunnel is reprovisioned with the new shared secret. The other tunnel in the IPSec connection remains in the Available state. However, while the first tunnel is being reprovisioned, you cannot change the second tunnel's configuration.

To change the shared secret that an IPSec tunnel uses

Changing from Static Routing to BGP Dynamic Routing

If you want to change an existing IPSec VPN from using static routing to using BGP dynamic routing, follow the process in this section.

Warning

When you change a tunnel's routing type, the tunnel's IPSec status does not change during reprovisioning. However, routing through the tunnel is affected. Traffic is temporarily disrupted until your network engineer configures your CPE device in accordance with the routing type change. If your existing IPSec VPN is currently configured to use only a single tunnel, this process will disrupt your connection to Oracle. If your IPSec VPN instead uses multiple tunnels, Oracle recommends reconfiguring one tunnel at a time to avoid disrupting your connection to Oracle.

To change from static routing to BGP dynamic routing

Monitoring Your IPSec VPN

You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring Overview and Notifications Overview.

For information about monitoring your connection, see VPN Connect Metrics.

Disabling or Terminating the IPSec VPN

If you want to disable the IPSec VPN between your on-premises network and VCN, you can simply detach the DRG from the VCN instead of deleting the IPSec connection. If you're also using the DRG with FastConnect, detaching the DRG would also interrupt the flow of traffic over FastConnect.

You can delete the IPSec connection. However, if you later want to re-establish it, your network engineer would have to configure your CPE device again with a new set of tunnel configuration information from Oracle.

If you want to permanently delete the entire IPSec VPN, you must first terminate the IPSec connection. Then you can delete the CPE object. If you're not using the DRG for another connection to your on-premises network, you can detach it from the VCN and then delete it.

To delete an IPSec connection
To delete a CPE object

Managing Tags for an IPSec Connection or CPE Object

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.

To manage tags for an IPSec connection
To manage tags for a CPE object

Managing Your DRG

For tasks related to DRGs, see Dynamic Routing Gateways (DRGs).