-------------------------------------------------------------------------------------------------------------------------------------------------------------- # Configuration Template # The configuration consists of two IPSec tunnels. Oracle highly recommends that you configure both tunnels for maximum redundancy. -------------------------------------------------------------------------------------------------------------------------------------------------------------- # The configuration template involves setting up the following: # PHASE 1 # PHASE 2 # SETTING THE TUNNEL INTERFACES FOR ORACLE # SETTING THE SERVICES FOR ORACLE. # SETTING BGP/STATIC ROUTING # SETTING ROUTING-INSTANCES FOR ORACLE (OPTIONAL). -------------------------------------------------------------------------------------------------------------------------------------------------------------- # The configuration template has various parameters that you must define before applying the configuration. # Search in the template for the keyword "USER_DEFINED" to find those parameters. -------------------------------------------------------------------------------------------------------------------------------------------------------------- # PARAMETERS REFERENCED: # oracle_headend_1 = Oracle public IP endpoint obtained from the Oracle Console. # oracle_headend_2 = Oracle public IP endpoint obtained from the Oracle Console. # connection_presharedkey_1 = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. # connection_presharedkey_2 = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. # cpe_public_ip_address = The internet-routable IP address that is assigned to the public interface on the CPE. You provide this when creating the CPE object in the Oracle Console. # cpe_public_interface = The name of the Juniper interface where the CPE IP address is configured. Eg: ge-0/0/1.0 # msInterface1 = The interface correspond to one of the four encryption ASICs on the MS-MPC card. Eg: ms-2/3/0, ms-2/3/1 # msInterface2 = Second tunnel interface that needs to be configured. Eg: ms-2/3/0, ms-2/3/1 # insideMsUnit1 = The inside interface of the MS-MPC interface pair for tunnel_1 # insideMsUnit2 = The inside interface of the MS-MPC interface pair for tunnel_2 # outsideMsUnit1 = The outside interface of the MS-MPC interface pair for tunnel_1 # outsideMsUnit2 = The outside interface of the MS-MPC interface pair for tunnel_2 # inside_tunnel_interface_ip_address = The IP addresses for the CPE and Oracle ends of the inside tunnel interface. You provide these when creating the IPSec connection in the Oracle Console. # inside_tunnel_interface_ip_address_neighbor = The neighbor IP address between the MX and Oracle end points of the inside tunnel interface. # bgp_asn = Your ASN # vcn_range = VCN IP Range # OPTIONAL PARAMETERS: # customer_on-prem_to_oracle = Name of the routing instance to be defined on the CPE for the tunnel interfaces connecting to the Oracle headends. # internet_routing_instance = Name of the routing instance to be defined on the CPE for the tunnel interfaces that are connected to the Internet. -------------------------------------------------------------------------------------------------------------------------------------------------------------- # IPSec Tunnel 1 # #1: Internet Key Exchange (IKE) Configuration (Phase 1) # Defining the IKE Proposal for Oracle # This IKE (Phase 1) configuration template uses AES256, SHA384, Diffie-Hellman Group 5, and 28800 second (8 hours) IKE session key lifetime. # If different parameters are required, modify this template before applying the configuration. set services ipsec-vpn ike proposal oracle-ike-proposal authentication-method pre-shared-keys set services ipsec-vpn ike proposal oracle-ike-proposal authentication-algorithm sha-384 set services ipsec-vpn ike proposal oracle-ike-proposal encryption-algorithm aes-256-cbc set services ipsec-vpn ike proposal oracle-ike-proposal lifetime-seconds 28800 set services ipsec-vpn ike proposal oracle-ike-proposal dh-group group5 # Defining the IKE Policy for Oracle # USER_DEFINED: Replace the parameters in the section below as needed # If using IKEv1, uncomment the following two lines, and comment out the line after (the line with "version 2" at the end) # set services ipsec-vpn ike policy oracle-ike-policy-tunnel_1 mode main # set services ipsec-vpn ike policy oracle-ike-policy-tunnel_1 version 1 set services ipsec-vpn ike policy oracle-ike-policy-tunnel_1 version 2 set services ipsec-vpn ike policy oracle-ike-policy-tunnel_1 proposals oracle-ike-proposal set services ipsec-vpn ike policy oracle-ike-policy-tunnel_1 local-id ipv4_addr set services ipsec-vpn ike policy oracle-ike-policy-tunnel_1 remote-id ipv4_addr set services ipsec-vpn ike policy oracle-ike-policy-tunnel_1 pre-shared-key ascii-text # Setting up Public Interface with the CPE Public IP. # USER_DEFINED: Replace the parameters in the section below as needed set interfaces unit 0 family inet address # #2: IPSec Configuration # Defining the IPSec (Phase 2) Proposal for Oracle # The IPSec proposal defines the protocol, authentication, encryption, and lifetime parameters for the IPsec security association. # The configuration template sets AES256 for encryption, SHA256 for authentication, enables PFS group 14, and sets the IPSec session key lifetime to 3600 seconds (1 hour). # The IPsec policy incorporates the Diffie-Hellman group and the IPsec proposal. # If different parameters are required, modify this template before applying the configuration. set services ipsec-vpn ipsec proposal oracle-ipsec-proposal set services ipsec-vpn ipsec proposal oracle-ipsec-proposal protocol esp set services ipsec-vpn ipsec proposal oracle-ipsec-proposal authentication-algorithm hmac-sha-256-128 set services ipsec-vpn ipsec proposal oracle-ipsec-proposal encryption-algorithm aes-256-cbc set services ipsec-vpn ipsec proposal oracle-ipsec-proposal lifetime-seconds 3600 # Defining the IPSec (PHASE 2) policy for Oracle set services ipsec-vpn ipsec policy oracle-ipsec-policy perfect-forward-secrecy keys group14 set services ipsec-vpn ipsec policy oracle-ipsec-policy proposals oracle-ipsec-proposal # Defining Security Association for Oracle # USER_DEFINED: Replace the parameters in the section below as needed. # The IKE and IPSEC policies are associated with the tunnel interface. Eg: ms-2/3/0.101 # The IPsec Dead Peer Detection option causes periodic messages to be sent to ensure a Security Association remains operational. set services ipsec-vpn rule oracle-vpn-tunnel_1 term 1 from ipsec-inside-interface . set services ipsec-vpn rule oracle-vpn-tunnel_1 term 1 then remote-gateway set services ipsec-vpn rule oracle-vpn-tunnel_1 term 1 then dynamic ike-policy oracle-ike-policy-tunnel_1 set services ipsec-vpn rule oracle-vpn-tunnel_1 term 1 then dynamic ipsec-policy oracle-ipsec-policy set services ipsec-vpn rule oracle-vpn-tunnel_1 term 1 then tunnel-mtu 1430 set services ipsec-vpn rule oracle-vpn-tunnel_1 term 1 then initiate-dead-peer-detection set services ipsec-vpn rule oracle-vpn-tunnel_1 term 1 then dead-peer-detection set services ipsec-vpn rule oracle-vpn-tunnel_1 term 1 then dead-peer-detection interval 5 set services ipsec-vpn rule oracle-vpn-tunnel_1 term 1 then dead-peer-detection threshold 4 set services ipsec-vpn rule oracle-vpn-tunnel_1 match-direction input # #3: Tunnel Interface Configuration # Defining the Tunnel Interfaces # USER_DEFINED: Replace the parameters in the section below as needed. set interfaces unit description oracle-vpn-tunnel-1-INSIDE set interfaces unit family inet address set interfaces unit service-domain inside set interfaces unit description oracle-vpn-tunnel-1-OUTSIDE set interfaces unit family inet set interfaces unit service-domain outside # #4: Service Set Configuration # USER_DEFINED: Replace the parameters in the section below as needed # Service set configuration to direct traffic to the tunnel interfaces and associating the appropriate IPSec-VPN-Rule. set services service-set oracle-vpn-tunnel_1 next-hop-service inside-service-interface . set services service-set oracle-vpn-tunnel_1 next-hop-service outside-service-interface . set services service-set oracle-vpn-tunnel_1 ipsec-vpn-options local-gateway set services service-set oracle-vpn-tunnel_1 ipsec-vpn-rules oracle-vpn-tunnel-tunnel_1 # This option causes the router to reduce the Maximum Segment Size of TCP packets to prevent packet fragmentation. set services service-set oracle-vpn-tunnel_1 tcp-mss 1387 # #5a: Border Gateway Protocol (BGP) Configuration # USER_DEFINED: Replace the parameters in the section below as needed # BGP is used within the tunnel to exchange prefixes between the Dynamic Routing Gateway and your CPE. The DRG dynamically learns the routes from your on-premises network. On the Oracle side, the DRG advertises the VCN's subnets. # The configuration template uses a basic route policy to advertise a default route to the DRG. # To advertise additional prefixes to the Oracle VCN, add additional prefixes to the term ORACLE-DEFAULT policy. Make sure the prefix is present in the routing table of the device with a valid next-hop. # You configure the local BGP Autonomous System Number (BGP ASN) when you set up the IPSec connection in the Oracle Console. If you later need to change the ASN, you must recreate the CPE object and IPSec connection in the Oracle Console. set policy-options policy-statement ORACLE-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement ORACLE-DEFAULT term default then accept set policy-options policy-statement ORACLE-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor export ORACLE-DEFAULT set protocols bgp group ebgp neighbor peer-as 31898 set protocols bgp group ebgp neighbor local-as # #5b: Static Route Configuration # USER_DEFINED: Replace the parameters in the section below as needed # In case you plan to use static routing to get traffic through the IPSec tunnels, you can point the routes down to the tunnel interfaces. You should redistribute these routes into your on-premises network. Configuration for CPE to VCN static routes: set routing-options static route next-hop . ##6: Routing Instances Configuration (Optional) # USER_DEFINED: Replace the parameters in the section below as needed. # If you are using routing-instances on your CPE, you need to make sure you account for them in your configuration. Merge the following configuration into the template provided above. set routing-instances interface . set routing-instances interface . set services service-set oracle-vpn-tunnel-tunnel_1 ipsec-vpn-options local-gateway routing-instance -------------------------------------------------------------------------------------------------------------------------------------------------------------- # IPSec Tunnel 2 # #1: Internet Key Exchange (IKE) Configuration (Phase 1) # Defining the IKE Proposal for Oracle # This IKE (Phase 1) configuration template uses AES256, SHA384, Diffie-Hellman Group 5, and 28800 second (8 hours) IKE session key lifetime. # If different parameters are required, modify this template before applying the configuration. set services ipsec-vpn ike proposal oracle-ike-proposal authentication-method pre-shared-keys set services ipsec-vpn ike proposal oracle-ike-proposal authentication-algorithm sha-384 set services ipsec-vpn ike proposal oracle-ike-proposal encryption-algorithm aes-256-cbc set services ipsec-vpn ike proposal oracle-ike-proposal lifetime-seconds 28800 set services ipsec-vpn ike proposal oracle-ike-proposal dh-group group5 # Defining the IKE Policy for Oracle # USER_DEFINED: Replace the parameters in the section below as needed # If using IKEv1, uncomment the following two lines, and comment out the line after (the line with "version 2" at the end) # set services ipsec-vpn ike policy oracle-ike-policy-tunnel_2 mode main # set services ipsec-vpn ike policy oracle-ike-policy-tunnel_2 version 1 set services ipsec-vpn ike policy oracle-ike-policy-tunnel_2 version 2 set services ipsec-vpn ike policy oracle-ike-policy-tunnel_2 proposals oracle-ike-proposal set services ipsec-vpn ike policy oracle-ike-policy-tunnel_2 local-id ipv4_addr set services ipsec-vpn ike policy oracle-ike-policy-tunnel_2 remote-id ipv4_addr set services ipsec-vpn ike policy oracle-ike-policy-tunnel_2 pre-shared-key ascii-text # Setting up Public Interface with the CPE Public IP. # USER_DEFINED: Replace the parameters in the section below as needed set interfaces unit 0 family inet address # #2: IPSec Configuration # Defining the IPSec (Phase 2) Proposal for Oracle # The IPSec proposal defines the protocol, authentication, encryption, and lifetime parameters for the IPsec security association. # The configuration template sets AES256 for encryption, SHA256 for authentication, enables PFS group 14, and sets the IPSec session key lifetime to 3600 seconds (1 hour). # The IPsec policy incorporates the Diffie-Hellman group and the IPsec proposal. # If different parameters are required, modify this template before applying the configuration. set services ipsec-vpn ipsec proposal oracle-ipsec-proposal set services ipsec-vpn ipsec proposal oracle-ipsec-proposal protocol esp set services ipsec-vpn ipsec proposal oracle-ipsec-proposal authentication-algorithm hmac-sha-256-128 set services ipsec-vpn ipsec proposal oracle-ipsec-proposal encryption-algorithm aes-256-cbc set services ipsec-vpn ipsec proposal oracle-ipsec-proposal lifetime-seconds 3600 # Defining the IPSec (PHASE 2) policy for Oracle set services ipsec-vpn ipsec policy oracle-ipsec-policy perfect-forward-secrecy keys group14 set services ipsec-vpn ipsec policy oracle-ipsec-policy proposals oracle-ipsec-proposal # Defining Security Association for Oracle # USER_DEFINED: Replace the parameters in the section below as needed # The IKE and IPSEC policies are associated with the tunnel interface. Eg: ms-2/3/0.101 # The IPsec Dead Peer Detection option causes periodic messages to be sent to ensure a Security Association remains operational. set services ipsec-vpn rule oracle-vpn-tunnel_2 term 1 from ipsec-inside-interface . set services ipsec-vpn rule oracle-vpn-tunnel_2 term 1 then remote-gateway set services ipsec-vpn rule oracle-vpn-tunnel_2 term 1 then dynamic ike-policy oracle-ike-policy-tunnel_2 set services ipsec-vpn rule oracle-vpn-tunnel_2 term 1 then dynamic ipsec-policy oracle-ipsec-policy set services ipsec-vpn rule oracle-vpn-tunnel_2 term 1 then tunnel-mtu 1420 set services ipsec-vpn rule oracle-vpn-tunnel_2 term 1 then initiate-dead-peer-detection set services ipsec-vpn rule oracle-vpn-tunnel_2 term 1 then dead-peer-detection set services ipsec-vpn rule oracle-vpn-tunnel_2 term 1 then dead-peer-detection interval 5 set services ipsec-vpn rule oracle-vpn-tunnel_2 term 1 then dead-peer-detection threshold 4 set services ipsec-vpn rule oracle-vpn-tunnel_2 match-direction input # #3: Tunnel Interface Configuration # Defining the Tunnel Interfaces # USER_DEFINED: Replace the parameters in the section below as needed. set interfaces unit description oracle-vpn-tunnel-2-INSIDE set interfaces unit family inet address set interfaces unit service-domain inside set interfaces unit description oracle-vpn-tunnel-2-OUTSIDE set interfaces unit family inet set interfaces unit service-domain outside # #4: Service Set Configuration # USER_DEFINED: Replace the parameters in the section below as needed # Service set configuration to direct traffic to the tunnel interfaces and associating the appropriate IPSec-VPN-Rule. set services service-set oracle-vpn-tunnel_2 next-hop-service inside-service-interface . set services service-set oracle-vpn-tunnel_2 next-hop-service outside-service-interface . set services service-set oracle-vpn-tunnel_2 ipsec-vpn-options local-gateway set services service-set oracle-vpn-tunnel_2 ipsec-vpn-rules oracle-vpn-tunnel-tunnel_2 # This option causes the router to reduce the Maximum Segment Size of TCP packets to prevent packet fragmentation. set services service-set oracle-vpn_1 tcp-mss 1387 # #5a: Border Gateway Protocol (BGP) Configuration # USER_DEFINED: Replace the parameters in the section below as needed # BGP is used within the tunnel to exchange prefixes between the dynamic routing gateway and your CPE. The DRG dynamically learns the routes from your on-premises network. On the Oracle side, the DRG advertises the VCN's subnets. # THe configuration templates uses a basic route policy to advertise a default route to the DRG. # To advertise additional prefixes to the Oracle VCN, add additional prefixes to the term ORACLE-DEFAULT policy. Make sure the prefix is present in the routing table of the device with a valid next-hop. # You configure the local BGP Autonomous System Number (BGP ASN) when you set up the IPSec connection in the Oracle Console. If you later need to change the ASN, you must recreate the CPE object and IPSec connection in the Oracle Console. set policy-options policy-statement ORACLE-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement ORACLE-DEFAULT term default then accept set policy-options policy-statement ORACLE-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor export ORACLE-DEFAULT set protocols bgp group ebgp neighbor peer-as 31898 set protocols bgp group ebgp neighbor local-as # #5b: Static Route Configuration # USER_DEFINED: Replace the parameters in the section below as needed # In case you plan to use static routing to get traffic through the IPSec tunnels, you can point the routes down to the tunnel interfaces. You should redistribute these routes into your on-premises network. Configuration for CPE to VCN static routes: set routing-options static route next-hop . ##6: Routing Instances Configuration (Optional) # USER_DEFINED: Replace the parameters in the section below as needed. # If you are using routing-instances on your CPE, you need to make sure you account for them in your configuration. Merge the following configuration into the template provided above. set routing-instances interface . set routing-instances interface . set services service-set oracle-vpn-tunnel-tunnel_2 ipsec-vpn-options local-gateway routing-instance