Deploy VPN IPSec Tunnels on Oracle Cloud Infrastructure. White Paper September 2017 Version 1.0

Similar documents
Oracle Cloud Infrastructure Virtual Cloud Network Overview and Deployment Guide ORACLE WHITEPAPER JANUARY 2018 VERSION 1.0

Creating Custom Project Administrator Role to Review Project Performance and Analyze KPI Categories

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

Tutorial on How to Publish an OCI Image Listing

Bastion Hosts. Protected Access for Virtual Cloud Networks O R A C L E W H I T E P A P E R F E B R U A R Y

Veritas NetBackup and Oracle Cloud Infrastructure Object Storage ORACLE HOW TO GUIDE FEBRUARY 2018

Deploying Custom Operating System Images on Oracle Cloud Infrastructure O R A C L E W H I T E P A P E R M A Y

Generate Invoice and Revenue for Labor Transactions Based on Rates Defined for Project and Task

Oracle CIoud Infrastructure Load Balancing Connectivity with Ravello O R A C L E W H I T E P A P E R M A R C H

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Achieving High Availability with Oracle Cloud Infrastructure Ravello Service O R A C L E W H I T E P A P E R J U N E

April Understanding Federated Single Sign-On (SSO) Process

Establishing secure connections between Oracle Ravello and Oracle Database Cloud O R A C L E W H I T E P A P E R N O V E M E B E R

Oracle Secure Backup. Getting Started. with Cloud Storage Devices O R A C L E W H I T E P A P E R F E B R U A R Y

Best Practices for Deploying High Availability Architecture on Oracle Cloud Infrastructure

Oracle Data Provider for.net Microsoft.NET Core and Entity Framework Core O R A C L E S T A T E M E N T O F D I R E C T I O N F E B R U A R Y

An Oracle White Paper November Primavera Unifier Integration Overview: A Web Services Integration Approach

Correction Documents for Poland

JD Edwards EnterpriseOne Licensing

Load Project Organizations Using HCM Data Loader O R A C L E P P M C L O U D S E R V I C E S S O L U T I O N O V E R V I E W A U G U S T 2018

Siebel CRM Applications on Oracle Ravello Cloud Service ORACLE WHITE PAPER AUGUST 2017

Migrating VMs from VMware vsphere to Oracle Private Cloud Appliance O R A C L E W H I T E P A P E R O C T O B E R

RAC Database on Oracle Ravello Cloud Service O R A C L E W H I T E P A P E R A U G U S T 2017

August 6, Oracle APEX Statement of Direction

Oracle Cloud Applications. Oracle Transactional Business Intelligence BI Catalog Folder Management. Release 11+

Loading User Update Requests Using HCM Data Loader

Automatic Receipts Reversal Processing

Handling Memory Ordering in Multithreaded Applications with Oracle Solaris Studio 12 Update 2: Part 2, Memory Barriers and Memory Fences

Oracle DIVArchive Storage Plan Manager

Leverage the Oracle Data Integration Platform Inside Azure and Amazon Cloud

Oracle Fusion Configurator

Configuring Oracle Business Intelligence Enterprise Edition to Support Teradata Database Query Banding

Application Container Cloud

Deploying VPN IPSec Tunnels with Cisco ASA/ASAv VTI on Oracle Cloud Infrastructure

Transitioning from Oracle Directory Server Enterprise Edition to Oracle Unified Directory

Deploying Apache Cassandra on Oracle Cloud Infrastructure Quick Start White Paper October 2016 Version 1.0

Oracle Communications Interactive Session Recorder and Broadsoft Broadworks Interoperability Testing. Technical Application Note

Installation Instructions: Oracle XML DB XFILES Demonstration. An Oracle White Paper: November 2011

Migration Best Practices for Oracle Access Manager 10gR3 deployments O R A C L E W H I T E P A P E R M A R C H 2015

Oracle Service Registry - Oracle Enterprise Gateway Integration Guide

An Oracle White Paper December, 3 rd Oracle Metadata Management v New Features Overview

An Oracle White Paper September Security and the Oracle Database Cloud Service

Oracle Privileged Account Manager

WebCenter Portal Task Flow Customization in 12c O R A C L E W H I T E P A P E R J U N E

October Oracle Application Express Statement of Direction

Integration Guide. Oracle Bare Metal BOVPN

Subledger Accounting Reporting Journals Reports

Oracle Clusterware 18c Technical Overview O R A C L E W H I T E P A P E R F E B R U A R Y

NOSQL DATABASE CLOUD SERVICE. Flexible Data Models. Zero Administration. Automatic Scaling.

Best Practice Guide for Implementing VMware vcenter Site Recovery Manager 4.x with Oracle ZFS Storage Appliance

Oracle WebLogic Portal O R A C L E S T A T EM EN T O F D I R E C T IO N F E B R U A R Y 2016

Oracle Database Security Assessment Tool

MySQL CLOUD SERVICE. Propel Innovation and Time-to-Market

An Oracle White Paper October Deploying and Developing Oracle Application Express with Oracle Database 12c

An Oracle White Paper October The New Oracle Enterprise Manager Database Control 11g Release 2 Now Managing Oracle Clusterware

Extreme Performance Platform for Real-Time Streaming Analytics

SecureFiles Migration O R A C L E W H I T E P A P E R F E B R U A R Y

Pricing Cloud: Upgrading to R13 - Manual Price Adjustments from the R11/R12 Price Override Solution O R A C L E W H I T E P A P E R A P R I L

Oracle JD Edwards EnterpriseOne Object Usage Tracking Performance Characterization Using JD Edwards EnterpriseOne Object Usage Tracking

Oracle Data Masking and Subsetting

Oracle Social Network

Oracle Business Activity Monitoring 12c Best Practices ORACLE WHITE PAPER DECEMBER 2015

Oracle Database Vault

Working with Time Zones in Oracle Business Intelligence Publisher ORACLE WHITE PAPER JULY 2014

Oracle NoSQL Database For Time Series Data O R A C L E W H I T E P A P E R D E C E M B E R

CONTAINER CLOUD SERVICE. Managing Containers Easily on Oracle Public Cloud

Corente Cloud Services Exchange

PeopleSoft Fluid Navigation Standards

Technical Upgrade Guidance SEA->SIA migration

Frequently Asked Questions Oracle Content Management Integration. An Oracle White Paper June 2007

Using Oracle In-Memory Advisor with JD Edwards EnterpriseOne

Oracle Service Cloud Agent Browser UI. November What s New

Oracle VM 3: IMPLEMENTING ORACLE VM DR USING SITE GUARD O R A C L E W H I T E P A P E R S E P T E M B E R S N

Product Release Notes

Benefits of an Exclusive Multimaster Deployment of Oracle Directory Server Enterprise Edition

An Oracle White Paper September, Oracle Real User Experience Insight Server Requirements

Oracle Enterprise Performance Management Cloud

Oracle Access Manager 10g - Oracle Enterprise Gateway Integration Guide

Using the Oracle Business Intelligence Publisher Memory Guard Features. August 2013

Deploying Hyper-V with Routing O R A C L E W H I T E P A P E R M A R C H

DATA INTEGRATION PLATFORM CLOUD. Experience Powerful Data Integration in the Cloud

Oracle WebLogic Server Multitenant:

Oracle Enterprise Data Quality New Features Overview

Integrating Oracle SuperCluster Engineered Systems with a Data Center s 1 GbE and 10 GbE Networks Using Oracle Switch ES1-24

Oracle Virtual Directory 11g Oracle Enterprise Gateway Integration Guide

Oracle Grid Infrastructure 12c Release 2 Cluster Domains O R A C L E W H I T E P A P E R N O V E M B E R

An Oracle White Paper October Release Notes - V Oracle Utilities Application Framework

Oracle Enterprise Performance Reporting Cloud. What s New in September 2016 Release (16.09)

Increasing Network Agility through Intelligent Orchestration

SOA Cloud Service Automatic Service Migration

Automatic Data Optimization with Oracle Database 12c O R A C L E W H I T E P A P E R S E P T E M B E R

StorageTek ACSLS Manager Software Overview and Frequently Asked Questions

Hard Partitioning with Oracle VM Server for SPARC O R A C L E W H I T E P A P E R J U L Y

ORACLE FABRIC MANAGER

Sun Fire X4170 M2 Server Frequently Asked Questions

How to Monitor Oracle Private Cloud Appliance with Oracle Enterprise Manager 13c O R A C L E W H I T E P A P E R J U L Y

SonicMQ - Oracle Enterprise Gateway Integration Guide

Oracle JD Edwards EnterpriseOne Object Usage Tracking Performance Characterization Using JD Edwards EnterpriseOne Object Usage Tracking

An Oracle White Paper Oct Hard Partitioning With Oracle Solaris Zones

Oracle NoSQL Database Parent-Child Joins and Aggregation O R A C L E W H I T E P A P E R A P R I L,

Transcription:

Deploy VPN IPSec Tunnels on Oracle Cloud Infrastructure White Paper September 2017 Version 1.0

Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

Table of Contents Disclaimer... 1 Purpose of this White Paper... 2 Scope & Assumptions... 2 VPN IPSec Tunnels Concepts... 3 VPN IPSec Tunnels on Oracle Cloud Infrastructure... 3 Key Components of VPN IPSec Tunnels on Oracle Cloud Infrastructure... 4 Oracle Cloud Identifier (OCID)... 4 Cloud Resource... 4 On-Premises... 4 Customer Premises Equipment (CPE)... 4 Virtual Cloud Network (VCN)... 4 Subnet... 4 Virtual Network Interface Card (VNIC)... 5 Dynamic Routing Gateway (DRG)... 5 Internet Gateway (IG)... 5 Security Lists... 5 Route Table... 5 Access Requirements for VPN IPSec Tunnels Configuration... 7 VPN IPSec Configuration Step-by-Step Guide... 8 Overview of VPN IPSec Configuration... 8 Step 1: Create a VCN... 9 Step 2: Create a DRG... 10 Step 3: Attach DRG to VCN... 11 Step 4: Create a Dedicated Route Table... 12 Step 6: Create a New Security List for the Subnet... 13 Step 8: Create a New Subnet... 15 Step 9: Create on-premises Customer Premises Equipment (CPE)... 18 Step 10: Create IPSec Tunnel between DRG and CPE... 19 Step 11: Verify three IPSec Tunnels... 20 Summary... 21 Step 12: Configure the On-Premises VPN device... 22 Step 13: Validate connectivity from On-Premises to Oracle Cloud Infrastructure on Private IP... 23 Conclusion:... 24

Purpose of this White Paper This document explains step-by-step the VPN IPSec tunnel configuration on Oracle Cloud Infrastructure. It s helpful to know the basics of networking before following the steps outlined in this white paper. You ll work with your on-premises network engineer who will configure the on-premises VPN device along with the steps described in this white paper. This document helps you complete all the necessary steps on Oracle Cloud Infrastructure. You ll have the necessary configuration data (passphrase and IP address) required to complete the configuration of onpremises VPN devices. Scope & Assumptions This paper is a quick start guide for deploying VPN IPSec tunnels to connect from on-premises to Oracle Cloud Infrastructure. This document outlines some best practices, and should not be used as a full reference guide to VPN IPSec tunnels. Identity Access Management (IAM) on Oracle Cloud Infrastructure is beyond the scope of this document. The details of the on-premises VPN device are also beyond the scope of this white paper. Refer to Oracle Cloud Infrastructure documentation to learn about commonly used on-premises VPN devices and configuration steps. The document assumes that you have privileges to manage network components (Virtual Cloud Network, subnet, Dynamic Routing Gateway, Internet Gateway etc.) in the compartment you want to work in. Readers of this document should first:» Be familiar with the fundamentals of the Oracle Cloud Infrastructure» https://cloud.oracle.com/bare-metal» Have a background in VPN IPSec tunnel functionality:» https://en.wikipedia.org/wiki/ipsec

VPN IPSec Tunnels Concepts IPSec stands for Internet Protocol Security or IP Security. IPSec is a protocol suite that encrypts the entire IP traffic before the packets are transferred from the source node to the destination. IPSec can be configured in two modes: Transport Mode: IPSec only encrypts and/or authenticates the actual payload of the packet, and the header information stays intact. Tunnel Mode: IPSec encrypts and/or authenticates the entire packet. After encryption, the packet is then encapsulated to form a new IP packet that has different header information. IPSec VPN site-to-site tunnels offer the following advantages: No need to buy dedicated expensive lease lines from one site to another, as public telecommunication lines are used to transmit data. The internal IP addresses of both the participating networks and nodes are hidden from external users. The entire communication between the source and destination sites is encrypted, significantly lowering the chances of information theft. Oracle Cloud Infrastructure supports only the tunnel mode of VPN IPSec and is offered as self-service using either the web console or the REST APIs. VPN IPSec Tunnels on Oracle Cloud Infrastructure VPN IPSec service provides a connection between a customer s on-premises network and Oracle Cloud Infrastructure Virtual Cloud Network (VCN). It consists of multiple redundant IPSec tunnels that use static routes to route traffic. IPSec tunnels connect Dynamic Routing Gateway (DRG) and Customer Premises Equipment (CPE) that are created and attached to the VCN. By default, three IPSec tunnels, one per Availability Domain are created on Oracle Cloud Infrastructure. This provides redundancy if there are tunnel failures. Oracle recommends configuring your on-premises router to support all three tunnels in case one of the tunnels fail. Each tunnel has configuration information (that is, Oracle Cloud Infrastructure endpoint IP address and secret key for authentication) that are configured on your on-premises router. This white paper explains how to configure VPN IPSec tunnels from on-premises to Oracle Cloud Infrastructure datacenters using the web consoles. You can use REST APIs to perform the same steps. You can find more on APIs in the Oracle Cloud Infrastructure documentation.

Key Components of VPN IPSec Tunnels on Oracle Cloud Infrastructure Oracle Cloud Identifier (OCID) Oracle Cloud Identifier (OCID) is a unique name assigned to every resource you provision on Oracle Cloud Infrastructure. The OCID is an auto-generated long string and is used by support engineers to identify your cloud resource when working with any support tickets. Customers can t choose a preferred value for OCID and can t modify it for the life of cloud resource. You also use OCIDs extensively when working with REST APIs. Cloud Resource Cloud resource refers to anything you provision on a cloud platform. In Oracle Cloud Infrastructure terms, it can refer to VCN, Compute, User, Compartment, Database as a Service, Load Balancing as a Service, or any other service component on the platform. On-Premises On-premises is a widely used term in cloud technologies and it refers to your traditional datacenter environments. It includes any co-location, dedicated floor space, dedicated datacenter building, or a desktop running under your desk. Customer Premises Equipment (CPE) Customer Premises Equipment (CPE) is a virtual representation of an on-premises VPN router (hardware or software). The CPE object has basic information (for example, IP address) about your on-premises VPN router that is used by the VCN for routing private traffic. Virtual Cloud Network (VCN) Virtual Cloud Network (VCN), also known as Cloud Network, is a software-defined network that you set up on the Oracle Cloud Infrastructure platform. Think of VCN as an extension of your on-premises to the cloud, with firewall rules and specific types of communication gateways. A VCN covers a single, contiguous CIDR (range of IP addresses) block of your choice. A VCN is a regional resource, meaning it covers all the availability domains (ADs) within a region. Oracle Cloud Infrastructure VCN supports VCN size ranges of /16 to /30 and you can t change the CIDR of a VCN after it's created. The VCN s CIDR must not overlap with your on-premises network. So work with your on-premises network administrator to get an available range of IP addresses (CIDR) that can be used with the VCN. Subnet A subnet is a subdivision of a cloud network (VCN). A subnet is an Availability Domain (AD) specific resource and you must have one subnet per AD in a region. A subnet consists of a contiguous range of IP addresses that don t overlap with other subnets within the same VCN. You build a subnet by specifying the CIDR (range of IP addresses), Availability Domain, and a user-friendly name for the subnet. Subnets have virtual network interface cards (VNIC), which attach to instances. You can label a subnet as private when you create it, which means VNICs in the subnet can t have a public IP address.

A subnet is associated with security lists, route tables, and DHCP (Dynamic Host Configuration Protocol) options to control what traffic is allowed to flow in which direction (DRG or IG for public/private traffic). You can t change security lists or route table attachments once a subnet is built, however you can change the rules of security lists and route tables. Note, you can t alter the CIDR after a subnet is built. Virtual Network Interface Card (VNIC) A Virtual Network Interface card (VNIC) resides in a subnet and gets attached to an instance to enable connections to the subnet s VCN. Each instance has a default primary VNIC that is created during instance launch and can t be removed. If needed, you can add secondary VNICs to an existing instance (in the same AD as the primary AD). Dynamic Routing Gateway (DRG) Dynamic Routing Gateway (DRG) is a virtual router that provides a path for private traffic between Oracle Cloud Infrastructure cloud network (VCN) and the on-premises (datacenter) network. DRG is a standalone resource on Oracle Cloud Infrastructure and is designed to give you the full flexibility to attach or detach to a different VCN as per business needs. A DRG is required for both VPN IPSec tunnels and FastConnect virtual circuits. A network administrator might think of the DRG as the VPN headend on their Oracle Cloud Infrastructure service. Internet Gateway (IG) Internet Gateway (IG) is an optional virtual router that you can add to a VCN for internet connectivity. It provides internet access to your VCN and is controlled by the route tables and security list configuration on the subnet level. In addition to IG, you must have the following to access internet from the compute instance: a) Routing rule in the route table that points to the IG. b) Appropriate port open in the security list, e.g., Port 80/443 must be opened for Web Server Traffic. Note: Having an Internet Gateway alone DOES NOT expose your subnet to the internet unless you satisfy the above two conditions. Security Lists Security lists are virtual firewall rules for your VCN on Oracle Cloud Infrastructure. These security lists consist of ingress and egress rules that specify the destination (CIDR) and type of traffic (protocol and port) allowed in and out of instances within a subnet. A security list gets attached to the subnet when you create a subnet and you can change the traffic type and destination dynamically. Example: An ingress security rule in security lists with source CIDR 10.100.200.0/24 with destination port 22 of TCP protocol allows all ingress traffic from on-premises IP addresses (10.100.200.0/24) to Oracle Cloud Infrastructure instances on port 22 for SSH connection. Route Table Route tables are virtual route tables where you configure traffic rules using DRG or IG. The route table rules provide mapping for the traffic from subnets via gateways to a destination outside the VCN, e. g., private traffic flows using DRG and public traffic flows using IG. You can build multiple route tables within a VCN or use the default route table.

A route table must be assigned to a subnet within a VCN. The default route table is used when you create a subnet without specifying a route table. You can have one dedicated route table per subnet to keep it easy for subnet management. You can t change a subnet to use another route table once a subnet is created, but you can change the route table rules at any time.

Access Requirements for VPN IPSec Tunnels Configuration To manage VPN IPSec tunnels on Oracle Cloud Infrastructure, you must have been granted full access to network components within your compartment. For example, the following policy gives required permissions to manage VPN IPSec tunnels: Allow group GroupNetworkAdmin to manage virtual-network-family in Compartment CompartmentA Where: GroupNetworkAdmin Your user id must be a member of this user group. CompartmentA The compartment where you want to set up VPN IPSec tunnels and related network components, for example, VCN/subnet.

VPN IPSec Configuration Step-by-Step Guide Overview of VPN IPSec Configuration Here is a pictorial view of the end-to-end components required to build VPN IPSec connectivity from onpremises to Oracle Cloud Infrastructure. The rest of the document covers the steps required to build each component in this diagram.

Step 1: Create a VCN Create a VCN by following these steps: Choose a compartment that you have permission to work in. Go to the Networking Tab. Select Virtual Cloud Network. Click Create Virtual Cloud Network. Choose a compartment where you want to build the VCN. Specify a friendly name for the VCN. Specify the CIDR block for the range of IP addresses used for this VCN (Note: It can t be changed after VCN is created.)

Step 2: Create a DRG Create a DRG by following these steps: Choose a compartment you have permission to work in. Go to the Networking tab. Select Dynamic Routing Gateway. Click Create Dynamic Routing Gateway. Choose a compartment where you want to build the VCN. Give a friendly name to the DRG.

Step 3: Attach DRG to VCN Attach the DRG to the VCN by following these steps: Go to the Networking tab. Select Virtual Cloud Network. You will see the NameVCN as one of the VCNs you created in the earlier step. Click on the name of the VCN to go to the VCN management page. Find the Dynamic Routing Gateway option under the Resources section. Click it. Click the Attach Dynamic Routing Gateway button and choose the DRG you built in the earlier step.

Step 4: Create a Dedicated Route Table For this example, we will create a new dedicated route table that will be used by the subnet. Create a route table by following these steps: On the VCN management page, find the route table option under the Resources section. Click it. You will have a Default Route Table for NameVCN in here that is created by default. We will not use it for this exercise. Click the Create Route Table button. Give the route table a friendly name, say NameRT. Add the first rule in the route table by following these steps: o o o CIDR Block 10.0.0.0/16 (On-premises CIDR) Target Compartment compartment you are working in Target Dynamic Routing Gateway (NameDRG)

Step 6: Create a New Security List for the Subnet For this example, we will create a new dedicated security list that will be used by the subnet. Create a security list by following these steps: On the VCN management page, find security lists under the Resources section. You will have a Default Security List for NameVCN in here that is created by default. We will not use it for this exercise. Click Create Security List button. Give the security list a friendly name, say NameSL. Specify ingress and egress allow rules in this security list. By default, incoming traffic on all ports on all protocol is set to DENY on the Oracle Cloud Infrastructure platform. At a minimum, add following rules: o Add rule for Ingress (Allow incoming SSH on port 22 TCP protocol from onpremises) Source CIDR 10.0.0.0/16 (On-premises CIDR) IP Protocol TCP Source PortRange Empty (Default All) Destination PortRange 22 (for SSH traffic) o Add rule for Ingress (allow ICMP type 3,4 for MTU discovery) Source CIDR 10.0.0.0/16 (On-premises CIDR) IP Protocol ICMP Type and Code 3,4 o Allow Rules for Egress (Allow outgoing TCP traffic on all ports to on-premises) Destination CIDR 10.0.0.0/16 (On-premises CIDR) IP Protocol TCP Source PortRange Empty (Default All) Destination PortRange Empty (Default All) Note: Make sure that you use the same (or smaller) on-premises CIDR in the security list that was used in the route table, otherwise traffic will be blocked by the security lists. Important: The preceding Ingress rule for ICMP type code 3,4 is required for path MTU discovery. Without this rule, you may experience connectivity problems. For more information, refer to Hanging Connection documentation.

Step 8: Create a New Subnet Now we will create a subnet within the VCN with a CIDR smaller than VCN CIDR. Any instances launched within this subnet will have access to the customer s on-premises network/hosts. We will attach the route table and security lists that were created previously, to this subnet. A subnet is an AD-specific resource, meaning the range of IP within a subnet is available to a single Availability Domain only. Follow these steps: On the VCN management page, find Subnets under the Resources section. Click the Create Subnet button. Give the subnet a friendly name, for example, NameSubnetAD1. Choose an Availability Domain, for example, AD1. Choose a CIDR block that is smaller than VCN CIDR, for example, 10.1.0.0/24. Choose the route table NameRT from the drop-down list. Check the Public Subnet option to have public IP addresses available for compute instances. Leave the defaults for DNS and DHCP configurations. Choose the security list NameSL from the drop-down list. Click the Create button. The preceding configuration builds a subnet with a range of IP addresses CIDR 10.1.0.0/24 that is a subset of VCN IP address CIDR 10.1.0.0/16. This subnet is attached to Availability Domain AD1 with the route table and security lists that were created in previous steps. Here is how the Create Subnet screen looks like on Oracle Cloud Infrastructure console:

Quick Recap To summarize, here is what we have built so far in pictorial view:

Step 9: Create on-premises Customer Premises Equipment (CPE) You need the IP address of your on-premises VPN device and will use it to create a CPE on Oracle Cloud Infrastructure. This is a logical representation of your on-premises VPN device and you can create it by following these steps: Go to the Networking tab. Select Customer-Premises Equipment. Click Create Customer-Premises Equipment. Give it a friendly name, NameCPE. Use the IP address of the on-premises VPN Router for this CPE.

Step 10: Create IPSec Tunnel between DRG and CPE Create an IPSec tunnel by following these steps: Go to the Networking tab. Select Dynamic Routing Gateways. Choose your DRG (NameDRG) and click it. You will see a button to create IPSecConnection. Click it. Give a user-friendly name to the IPSecConnection (NameIPSec). Choose the Customer-Premises Equipment that you built in previous steps (NameCPE). Add a CIDR for the on-premises network in the Static Route CIDR field. Note, static routes can t be changed later. You have to drop/create new IPSec tunnels to make any changes in static routes.

Step 11: Verify three IPSec Tunnels Once the IPSec connection is provisioned, here s how it looks on the web console: You can get tunnel configuration by following these steps: Click the three dots on right. Choose Tunnel Information. You should see three tunnels that are built by default, one per AD. All three tunnels should show status as down since they are not configured with on-premises VPN device yet. Get the tunnel configuration information, IP address, and Shared Secret, which is needed when configuring the on-premises VPN device.

Summary Based on the steps completed, here s how the VPN configuration looks in pictorial view:

Step 12: Configure the On-Premises VPN device Provide configuration information for all three tunnels to your on-premises network engineer who has access to the VPN devices. They will configure all three tunnels with Oracle Cloud Infrastructure tunnel configuration data and establish connectivity with Oracle Cloud Infrastructure. This is the last step required to build VPN IPSec tunnels on Oracle Cloud Infrastructure. Here s how the whole configuration looks in pictorial view:

Step 13: Validate connectivity from On-Premises to Oracle Cloud Infrastructure on Private IP At this point, your VPN IPSec tunnel configuration is complete and all three tunnels status should be up and green. You can launch a compute instance within the subnet we built in the preceding step and test SSH connectivity on a private IP address from on-premises servers.

Conclusion: VPN IPSec Service on Oracle Cloud Infrastructure is a service where customers can establish private network connectivity from on-premises to their private Oracle Cloud Infrastructure network. Oracle strongly recommends that this service is used by the customer s network engineer only, and that security rules are evaluated carefully.

Oracle Corporation, World Headquarters Worldwide Inquiries 500 Oracle Parkway Phone: +1.650.506.7000 Redwood Shores, CA 94065, USA Fax: +1.650.506.7200 CONNECT WITH US blogs.oracle.com/oracle facebook.com/oracle twitter.com/oracle oracle.com Copyright 2017, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0917 Deploy VPN IPSec Tunnels on Oracle Cloud Infrastructure September 2017 Author: Prashant (Shan) Gupta (shan.gupta@oracle.com), Principal Solutions Architect

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback