1. Setting Up VPN from a Third-Party Gateway On-Premises to the Shared Network
  2. Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud

5 Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud

To complete the VPN setup, configure a GRE tunnel between your guest instances in Oracle Cloud and your Corente Services Gateway instance in Oracle Cloud.

Topics

Oracle Cloud services certified to use Corente-based VPN solutions

You can configure a GRE tunnel only on instances of the following Oracle Cloud services:

  • Oracle Cloud Infrastructure Compute Classic

  • Oracle Database Cloud Service

  • Oracle Java Cloud Service

Creating a New Linux Instance and Configuring a GRE Tunnel

You must configure a Generic Routing Encapsulation (GRE) tunnel on your Compute Classic instances to complete the VPN setup.

Follow the instructions provided in this section to create a guest instance using the provided corente-guest-launchplan.json template and configure a GRE tunnel on the newly created guest instance. To set up a GRE tunnel on running instances, see Configuring a GRE Tunnel on Running Linux Instances.

Create a Linux Client Compute Cloud Service Instance

Create your guest instance using the sample orchestration, corente-guest-launchplan.json.

  1. Create a bootable storage volume. Use an image that is Oracle Linux 6.6 or later versions as only these versions support GRE tunneling. See Creating a Bootable Storage Volume in Using Oracle Cloud Infrastructure Compute Classic.

    Note:

    A persistent boot disk is required to retain data and patches that are applied to your instance.

  2. Download the sample orchestration, corente-guest-launchplan.json, to create a guest instance. This sample orchestration is included in the greconf_orchsamples.zip file at the following location:

    http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html

  3. Modify values in the sample orchestration file based on your environment. While modifying corente-guest-launchplan.json, take care of the following requirements:

    • Ensure that you create the guest instance using the bootable storage volume you have created in step 1.

    • The client instance and the gateway instance should be in the same security list.

      In this example, a Compute instance in the Corente network is assigned to an internal security list, vpn-CSG1-secrules.

    • Ensure that the ha_policy of the orchestration is set to active.

    • The GRE tunnel addresses (both local and cloud gateway) should not be in the 10.x.x.x subnet.

    • If you have set up the VPN connection using the Compute Classic user interface, specify the default value 172.16.254.1.

  4. Upload the modified orchestration to Compute Classic, and then start the orchestration. For information about uploading and starting an orchestration, see Managing Orchestrations in Using Oracle Cloud Infrastructure Compute Classic.

  5. After creating the instance ensure that the instance is running.

  6. Note the DNS hostname assigned to the cloud gateway instance. You will need this hostname later, when running the configuration script. This is needed for HA. The cloud gateway hostname is automatically populated, and should point to the private IP address of the cloud gateway.

Sample Orchestration with Corente Tunnel Arguments

{
  "name": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest-instance",
  "label": "corente-guest",
  "description": "Corente guest instance",
  "oplans": [
    {
      "obj_type": "launchplan",
      "label": "corente-guest-launchplan-1",
      "ha_policy: "active",
      "objects": [
        {
          "instances": [
            {
              "name": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest",
              "networking": {
                "eth0": {
                  "model": "e1000",
                  "dns": [
                    "corente-guest"
                  ],
                  "seclists": [
                    "/Compute-myIdentityDomain/john.doe@example.com/vpn-CSG1-secrules"
                  ],
                  "nat": "ippool:/oracle/public/ippool"
                }
              },
              "boot_order": [
                1
              ],
              "storage_attachments": [
                {
                  "index": 1,
                  "volume": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest-boot-vol"
                }
              ],
              "label": "corente-guest",
              "shape": "oc3",
              "attributes": {
                "userdata": {
                  "corente-tunnel-args": "--local-tunnel-address=172.16.1.4 --csg-hostname=c9fcb5.compute-acme.oraclecloud.internal. --csg-tunnel-address=172.16.254.1 --onprem-subnets=10.2.3.0/24,10.3.2.0/24"
                }
              },
              "sshkeys": [
                "/Compute-myIdentityDomain/john.doe@example.com/adminkey"
              ]
            }
          ]
        }
      ]
    }
  ]
}

Create a GRE Tunnel

To create a GRE tunnel on your newly created Compute Classic instances:

  1. SSH to the instance where you want to create a GRE tunnel.

  2. Download the oc-config-corente-tunnel script onto this instance. This script is included in Greconf_orchsamples.zip file which is available at the following location:

    http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html

  3. Extract the contents of the greconf_orchsamples.zip file.

  4. After extracting, copy the oc-config-corente-tunnel file from the Config and Orchestration directory to the /usr/bin directory.

    Note:

    You'll need superuser privileges to copy to /usr/bin.

  5. Make the oc-config-corente-tunnel script executable: 

    sudo chmod 550 oc-config-corente-tunnel

  6. Run the oc-config-corente-tunnel script: 

    sudo bash /usr/bin/oc-config-corente-tunnel

  7. Add the following entry to /etc/rc.local so that the script runs automatically every time the instance boots: 

    bash /usr/bin/oc-config-corente-tunnel

About Configuration Script Arguments

The oc-config-corente-tunnel configuration script accepts arguments from the userdata attribute corente-tunnel-args in a launch plan (refer to corente-guest-launchplan.json). The value of that attribute should be in the form of a command line with the following syntax (showing only required arguments): 

--local-tunnel-address=<addr> --csg-hostname=<hostname> --csg-tunnel-address=<addr> --onprem-subnets=<subnet_cidrs>
Parameter Description Example

csg-hostname

The host name of the cloud gateway instance is based on the value specified for the VPN gateway name while creating the cloud gateway. To identify this name, see the Instances page in the Compute Classic web console.

Mandatory.

No default value.

No limit.

The value for this parameter should follow the format:

hostName.compute-myIdentityDomain.oraclecloud.internal.

csg1.compute-acme.oraclecloud.internal.

csg-tunnel-address

If you have set up the VPN connection using theCompute Classic user interface, specify the default value 172.16.254.1.

Mandatory.

172.16.254.1

local-tunnel-address

GRE tunnel address of the Compute instance.

Local address of the GRE tunnel to Corente Services Gateway instance on the Cloud. Specify the IP address that you want to assign to the GRE interface on the Linux instance. This IP address will be used to communicate with Corente Services Gateway, instances in your on-premise environment, and other IP addresses you define.

Specify an IP address from the 172.16.1.0/24 subnet.

Mandatory.

No default value.

172.16.1.4

onprem-subnets

List of on-premise networks participating in VPN. This should be in the form of one or more comma-separated CIDRs.

Mandatory.

No default value.

No limit.

10.2.3.0/24,10.3.2.0/24

ping-count

Number of pings of the cloud gateway tunnel end point in one iteration of health check.

Optional.

Default is 3.

2 is minimum.

5

ping-timeout

Timeout for each of the pings to the cloud gateway (in seconds).

Optional.

Default is 2.

1 is minimum.

1

ping-interval

Interval between pings to the cloud gateway (in seconds).

Optional.

Default is 10.

3 is minimum.

3

Configuring a GRE Tunnel on Running Linux Instances

You can set up a GRE tunnel to the Corente Services Gateway on existing instances of Compute Classic instances. You can use the procedure described in this chapter to set up a GRE tunnel on running Linux instances without having to restart orchestrations.

Ensure that the service instance on Oracle Cloud (where the GRE script runs) and the cloud gateway instance (the one it is paired with) are part of the same security list.

Do the following:

  1. Install dig utility if it is not available. The dig utility is used for DNS resolution.

    yum install bind-utils

  2. Create opc-compute directory in /var/log for Corente log files. 

    cd /var/log
mkdir opc-compute

  3. Go to the /usr/bin directory. 

    cd /usr/bin

  4. Ensure that the script is executable. Run the following command:

    sudo chmod 550 oc-config-corente-tunnel

  5. Run the following commands:

    $ sudo bash
$ nohup ./oc-config-corente-tunnel --local-tunnel-address=172.16.2.2 --csg-hostname=csgdbaas-1.root.oraclecloud.internal --csg-tunnel-address=172.16.254.1 --onprem-subnets=192.168.39.0/24 &

    Note:

    You may have to wait up to 1 minute before the GRE tunnel is up.

    For a description of the configuration parameters, see About Configuration Script Arguments.

    Note:

    Customize the command-line parameters, as needed (same syntax as the corente-tunnel-args userdata attribute). You must run the script in background, as the script won’t exit.

  6. Verify that the GRE tunnel is functional by running the ping command to any live IP address within your data center network directly.

  7. Add the following entry to the /etc/rc.local file. 

    nohup bash /usr/bin/oc-config-corente-tunnel --local-tunnel-address=172.16.2.2 --csg-hostname=csgdbaas-1.root.oraclecloud.internal --csg-tunnel-address=172.16.254.1 --onprem-subnets=192.168.39.0/24 &

    Note:

    Customize the command-line parameters, as needed. The values of the parameters should match what you entered in step 4.

Configuring a GRE Tunnel on a Windows Instance

To complete the VPN setup, configure a GRE tunnel between your Windows instance and Corente Services Gateway instance.

Topics

Creating a Windows Server 2012 R2 Client Instance

Follow the instructions provided in this section to create a Windows guest instance.

If you want to create a GRE tunnel on an existing Windows instance, skip this section and see Creating a GRE Tunnel on a Windows Guest Instance.

To create a guest Windows instance:

  1. Identify the Windows image that you are going to use while creating the instance. Ensure that you use an image of Windows Server 2012 R2 as only Windows Server 2012 R2 with a hotfix applied supports GRE tunneling. Windows images are available in Oracle Cloud Marketplace.

  2. Create your Windows guest instance from the Instances page. See Workflow for Creating Your First Windows Instance in Using Oracle Cloud Infrastructure Compute Classic. Take care of the following requirements:

    • By default, High Availability (HA) policy is set to active. Retain this value.

    • By default, RDP is enabled. Retain this value to use RDP to access your Windows instance.

    • By default, the Storage page shows the persistent boot disk that will be created and used to boot your instance. Retain this setting.

      Note:

      A persistent boot disk is required to retain data and patches that are applied to your instance.

      If you are using the CLI tool or REST API for Compute Classic to automate instance creation, ensure that you use a bootable storage volume while creating your Windows instance.

  3. After creating the instance, ensure that the instance is running.

  4. Enable RDP access to your Windows instance. RDP access to your Windows instance is not enabled by default. See Accessing a Windows Instance Using RDP in Using Oracle Cloud Infrastructure Compute Classic.

After creating the instance, create a GRE tunnel on the instance. See Creating a GRE Tunnel on a Windows Guest Instance.

Creating a GRE Tunnel on a Windows Guest Instance

To complete the VPN setup, create a GRE tunnel between your guest Windows instance in Oracle Cloud and your Corente Services Gateway instance in Oracle Cloud. oc-config-corente-tunnel.ps1 is a Windows PowerShell script which establishes the GRE tunnel between your Corente Services Gateway and your guest Windows instance in Oracle Cloud. The script continuously monitors the health of the GRE tunnel and re-establishes the tunnel on failure. You can schedule the script to run in a continuous loop on the instance and reconnects with the CSG instance when the CSG instance is restarted.

Before creating a GRE tunnel on your guest Windows instance, ensure that you complete the following prerequisites:

  • The Windows guest instance and the Compute Classic instance on which you have set up Corente Services Gateway must be part of the vpn-CSG1-secrules security list. Add the Windows guest instance to the vpn-CSG1-secrules security list. For information about adding an instance to a security list, see Adding an Instance to a Security List in Using Oracle Cloud Infrastructure Compute Classic.

  • Ensure that the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters\DisabledComponents exists and it’s value is set to 0.

    Caution:

    Improper editing of registry keys can cause serious problems. For the instructions to edit registry keys, see the Windows documentation.

  • Apply the hotfix provided by Microsoft to your Windows 2012 R2 server instance. For more information about downloading and applying the hotfix, see https://support.microsoft.com/en-us/kb/3022776.

    Ensure that the instance is running after applying the hotfix.

  • Remote Access, a PowerShell module, should be available. Enter the following PowerShell command at the command prompt to display a list of all loaded modules.

    Get-Module -ListAvailable

    If you don't see Remote Access in the list, use the Server Manager tool to add Remote Access as a role. Select the Direct Access and VPN (RAS) role service while adding the Remote Access role.

  • Ensure that you can RDP to your Windows instance. RDP access to your Windows instance is not enabled by default. To enable RDP access on your Windows instance, see Accessing a Windows Instance Using RDP in Using Oracle Cloud Infrastructure Compute Classic.

    Ensure that the Windows instance is running after enabling RDP access.

To create a GRE tunnel on your guest Windows instance after completing the prerequisites:

  1. Download the oc-config-corente-tunnel.ps1 script to your instance. You can either download the script directly on to the instance, or download the file elsewhere and copy the file to the instance. To download the file directly on to the instance, you should log in to the instance.

    You can download the script (included in greconf_orchsamples.zip) from the following location:

    http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html

  2. Enter the following command at the command prompt to run the oc-config-corente-tunnel.ps1 script. You must provide values for all the parameters. In the following example, it is considered that the oc-config-corente-tunnel.ps1 script is available at C:\. When you run this command, specify the complete path of the location where you have downloaded the script file.

    Syntax

    powershell —File C:\oc-config-corente-tunnel.ps1 Name-of-tunnel CSG-hostname GRE-tunnel-destination-prefix GRE-local-IPAddress Remote-IPv4Subnet:Metric Prefix-length

    Example: Creating a GRE tunnel by specifying a single remote route

    powershell —File C:\oc-config-corente-tunnel.ps1 GREtoCSG csg1.compute-acme.oraclecloud.internal. 172.16.254.1/32 172.16.1.9 192.168.10.0/24:100 24

    Example: Creating a GRE tunnel by specifying multiple remote routes

    powershell —File C:\oc-config-corente-tunnel.ps1 GREtoCSG c9fcb5.compute-acme.oraclecloud.internal. 172.16.254.1/32 172.16.1.9 “192.168.10.0/24:100,192.168.133.0/24:100” 24

    The script runs checks to ensure that the prerequisites are met, and then establishes a GRE tunnel. The time taken to establish the tunnel varies depending on your environment. Do not close or quit the terminal window while the script is running.

    Note:

    If you provide incorrect parameters, stop the script, and then enter the correct parameters to run the oc-config-corente-tunnel.ps1 script.

    Parameter and descriptions

    Parameter Description Example

    Name-of-tunnel

    An alphanumeric string representing a name for the GRE tunnel between the guest Windows instance in Oracle Cloud and the Corente Services Gateway instance in Oracle Cloud.

    		 GREtoCSG

    CSG-hostname

    The host name of the cloud gateway instance is based on the value specified for the VPN gateway name while creating the cloud gateway. You can find the DNS name on the instance information page in the Compute Classic web console.

    The value for this parameter should follow the format:

    hostName.compute-myIdentityDomain.oraclecloud.internal.

    csg1.compute-acme.oraclecloud.internal.

    GRE-tunnel-destination-prefix

    Specify the default value 172.16.254.1/32, if you have not changed this value using App Net Manager.

    172.16.254.1/32

    GRE-local-IPAddress

    Local address of GRE tunnel to Corente Services Gateway instance on Windows image side. This is also known as local-tunnel-address. Specify the IP address that you want to assign to the GRE interface on the Windows instance. This IP address will be used to communicate with Corente Services Gateway, instances in your on-premise environment, and other IP addresses you define.

    Specify an IP address from the 172.16.1.0/24 subnet.

    172.16.1.9

    Remote-IPv4Subnet:Metric

    Remote-IPv4Subnet are customer reachable routes or on-premises subnets. You can also provide a comma-separated list of multiple remote subnets.

    Metric: Routing metrics are used for precedence when multiple routes exist to a single destination. In this case there is only one route. However, you must provide an integer value.

    192.168.10.0/24:100

    192.168.122.0/24:100, 192.168.133.0/24:100

    Prefix-length

    Prefix length for the subnet to which the GRE-local—IPAddress belongs.

    If you specify 172.16.1.9 as the value for GRE-local—IPAddress and the IPv4Subnet to which GRE-local—IPAddress belongs is 172.16.1.0/24, then the Prefix-length is 24.

  3. To automatically set up the GRE tunnel to Corente Services Gateway every time the system restarts, use the Task Scheduler in Windows to run the following command on system restart. The example provided here is uses sample values. Specify values for the parameters based on your environment.

    cmd /C powershell —File C:\oc-config-corente-tunnel.ps1 GREtoCSG c9fcb5.compute-acme.oraclecloud.internal. 172.16.254.1/32 172.16.31.9 192.168.10.0/24:100 16>>c:\corente.log 2>>&1cmd /C powershell —File C:\oc-config-corente-tunnel.ps1 GREtoCSG c9fcb5.compute-acme.oraclecloud.internal. 172.16.254.1/32 172.16.1.9 192.168.10.0/24:100 24>>c:\corente.log 2>>&1

    For more information about using Task Scheduler to run a PowerShell script, see Windows documentation.

    Note:

    When the system restarts, the Remote Access service may not be available immediately. You might find a few error messages logged in the C:\corente.log file to indicate that Remote Access service is not available. However, the script runs continuously and the GRE tunnel is established when the Remote Access service becomes available.