Oracle offers an alternate method for establishing a connection using IPSec. The connection is terminated on the customer's existing VPN hardware. This option generally requires an extended implementation cycle and is approved on an exception basis. If the customer chooses to use their existing VPN device (for example, firewall or VPN concentrator) as a termination point, the VPN overall requirements described above remain the same. The encryption domain requirements for this connection will create a more complex configuration.
The requirements include, but are not limited to:
A public IP per Gateway connection supplied by the customer for use inside the VPN encryption domain;
Access to one /26 subnet and multiple /32 addresses inside the encryption domain;
Allowing the ports and protocols listed in the table specifying firewall rules between the Gateway and Oracle standalone hosts in this guide (see Firewall Rules Between the Gateway and Oracle Standalone Hosts) to communicate across the VPN;
Network Address Translation (NAT) can be used for the source address of the Gateway outbound to the Internet for external communication back to Oracle. For the Oracle Service endpoints to which the Gateway needs to communicate, NAT is not supported. These Oracle Service endpoints must reside on their public IP addresses.