!------------------------------------------------------------------------------------------------------------------------------------------------------------- ! IKEv2 Configuration Template ! The configuration consists of two IPSec tunnels. Oracle highly recommends that you configure both tunnels for maximum redundancy. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template involves setting up the following: ! IKEv2 Policy ! IPSec Configuration ! IPSec Tunnel Group Configuration ! VTI Interface Configuration ! IP Routing (BGP or Static) !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template has various parameters that you must define before applying the configuration. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! PARAMETERS REFERENCED: ! ${OracleInsideTunnelIpAddress1} = Inside tunnel IP address of Oracle-side for the first tunnel. You provide these values when creating the IPSec connection in the Oracle Console. ! ${OracleInsideTunnelIpAddress2} = Inside tunnel IP address of Oracle-side for the second tunnel. You provide these values when creating the IPSec connection in the Oracle Console. ! ${bgpASN} = Your BGP ASN ! ${cpePublicIpAddress} = The public IP address for the CPE. This is the IP address of your outside interface ! ${oracleHeadend1} = Oracle public IP endpoint obtained from the Oracle Console. ! ${oracleHeadend2} = Oracle public IP endpoint obtained from the Oracle Console. ! ${sharedSecret1} = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. ! ${sharedSecret2} = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. ! ${outsideInterface} = The public interface or outside of tunnel interface which is configured with the CPE public IP address. ! ${tunnelInterfaceName1} = The name of the first VTI used on your ASA. ! ${tunnelInterfaceName2} = The name of the second VTI used on your ASA. ! ${cpeInsideTunnelIpAddress1} = The CPE's inside tunnel IP for the first tunnel. ! ${cpeInsideTunnelIpAddress2} = The CPE's inside tunnel IP for the second tunnel. ! ${cpeInsideTunnelNetmask1} = The CPE's inside tunnel netmask for the first tunnel. ! ${cpeInsideTunnelNetmask2} = The CPE's inside tunnel netmask for the second tunnel. ! ${vcnCidrNetwork} = VCN IP range ! ${vcnCidrNetmask} = Subnet mask for VCN ! ${onPremCidrNetwork} = On-premises IP range ! ${onPremCidrNetmask} = ON-premises subnet mask !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! IKEv2 Policy ! IKEv2 is enabled on the outside interface. ! IKEv2 policy is created and specifies use of a Pre-Shared Key, AES256, SHA1, Diffie-Hellman Group 5, and a lifetime of 28800 seconds (8 hours). ! If different parameters are required, modify this template before applying the configuration. ! WARNING: The IKEv2 group policy is created with a priority of 10. Make sure this doesn't conflict with any pre-existing configuration on your ASA. crypto ikev2 enable ${outsideInterface} crypto ikev2 policy 10 encryption aes-256 integrity sha group 5 prf sha lifetime seconds 28800 ! IPSec Configuration ! Create an IKEv2 IPSec proposal named 'oracle_v2_ipsec_proposal' which defines AES256 for encryption and SHA1 for authentication. ! If different parameters are required, modify this template before applying the configuration. crypto ipsec ikev2 ipsec-proposal oracle_v2_ipsec_proposal protocol esp encryption aes-256 protocol esp integrity sha-1 ! An IPSec profile named 'oracle-vcn-vpn-policy' is created. ! The previously created IPSec proposal is added to this policy along with settings for enabling PFS Group 5 and the security association lifetime to 3600 seconds (1 hour). ! If different parameters are required, modify this template before applying the configuration. crypto ipsec profile oracle-vcn-vpn-policy set ikev2 ipsec-proposal oracle_v2_ipsec_proposal set pfs group5 set security-association lifetime seconds 3600 ! IPSec Tunnel Group Configuration group-policy oracle_v2_group_policy internal group-policy oracle_v2_group_policy attributes vpn-tunnel-protocol ikev2 ! A tunnel group is created for each Oracle VPN Headend. Each tunnel group defines the pre-shared key used for each respective tunnel. tunnel-group ${oracleHeadend1} type ipsec-l2l tunnel-group ${oracleHeadend1} general-attributes default-group-policy oracle_v2_group_policy tunnel-group ${oracleHeadend1} ipsec-attributes ikev2 local-authentication pre-shared-key ${sharedSecret1} ikev2 remote-authentication pre-shared-key ${sharedSecret1} tunnel-group ${oracleHeadend2} type ipsec-l2l tunnel-group ${oracleHeadend2} general-attributes default-group-policy oracle_v2_group_policy tunnel-group ${oracleHeadend2} ipsec-attributes ikev2 local-authentication pre-shared-key ${sharedSecret2} ikev2 remote-authentication pre-shared-key ${sharedSecret2} ! VTI Interface Configuration ! A virtual tunnel interface (VTI) is a logical interface representing the local end of a VPN tunnel to a remote VPN peer. Two VTIs are created representing two tunnels, one to each Oracle VPN Headend. The IP address of each VPN headend is provided when you create your IPSec connection in Oracle Console. ! All traffic routed to a VTI will be encrypted and sent across the tunnel towards Oracle Cloud Infrastructure. ! Each VTI configuration also references the previously created IPSec profile 'oracle-vcn-vpn-policy' for its IPSec parameters. interface ${tunnelInterfaceName1} nameif ORACLE-VPN1 ip address ${cpeInsideTunnelIpAddress1} ${cpeInsideTunnelNetmask1} tunnel source interface ${outsideInterface} tunnel destination ${oracleHeadend1} tunnel mode ipsec ipv4 tunnel protection ipsec profile oracle-vcn-vpn-policy interface ${tunnelInterfaceName2} nameif ORACLE-VPN2 ip address ${cpeInsideTunnelIpAddress2} ${cpeInsideTunnelNetmask2} tunnel source interface ${outsideInterface} tunnel destination ${oracleHeadend2} tunnel mode ipsec ipv4 tunnel protection ipsec profile oracle-vcn-vpn-policy ! IP Routing ! Pick either dynamic (BGP) or static routing. Uncomment the corresponding commands prior to applying configuration. ! Border Gateway Protocol (BGP) Configuration ! Uncomment below lines if you want to use BGP. ! router bgp ${bgpASN} ! address-family ipv4 unicast ! neighbor ${OracleInsideTunnelIpAddress1} remote-as 31898 ! neighbor ${OracleInsideTunnelIpAddress1} activate ! neighbor ${OracleInsideTunnelIpAddress2} remote-as 31898 ! neighbor ${OracleInsideTunnelIpAddress2} activate ! network ${onPremCidrNetwork} mask ${onPremCidrNetmask} ! no auto-summary ! no synchronization ! exit-address-family ! Static Route Configuration ! Each static route references the other VTI by its nameif value. ! Uncomment below line if you want to use static routing. ! route ORACLE-VPN1 ${VcnCidrNetwork} ${VcnCidrNetmask} ${OracleInsideTunnelIpAddress1} 1 track ! route ORACLE-VPN2 ${VcnCidrNetwork} ${VcnCidrNetmask} ${OracleInsideTunnelIpAddress2} 100 ! Configuration for Tunnel Failover ! Uncomment the below IP SLA lines if using static routing. ! Use this IP SLA configuration for static route failover This IP SLA configuration is used for static route failover between the two tunnels. ! Make sure that the SLA monitor and tracking numbers used do not conflict with any existing configuration on your ASA. ! sla monitor 10 ! type echo protocol ipIcmpEcho ${oracleHeadend1} interface outside ! frequency 5 ! sla monitor schedule 10 life forever start-time now ! track 1 rtr 10 reachability