1. Using Oracle Cloud Infrastructure Compute Classic
  2. Setting Up a VPN Connection Using VPNaaS

16 Setting Up a VPN Connection Using VPNaaS

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

Topics

Setting Up VPN Using VPNaaS

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

You can set up a VPN connection between your data center and IP networks in your Compute Classic site using VPN as a Service (VPNaaS). This provides a secure communication channel between your data center and instances that are added to your IP networks.

While you can continue to access your instances in Compute Classic over the public internet securely using SSH or RDP, a VPN connection provides enhanced security. IPSec-based tunnels carry encrypted traffic between your data center and your instances in Compute Classic. Your data can’t be stolen or intercepted. By using a VPN connection, you effectively extend your data center network to include instances in Compute Classic.

The following figure shows two VPN connections between your data center and your Compute Classic site using VPN as a Service. In this scenario, both connections could be configured as failover partners to ensure active-active high availability.


VPN connections between your data center and your Compute Classic site

You can configure any supported third-party device in your data center to participate in the VPN connection.

Note:

You can use VPNaaS to set up a tunnel to instances that are on IP networks. VPNaaS doesn't support VPN connections to instances that don’t have an interface on IP networks.

Topics

Third-Party VPN Device Configurations

The following table lists the certified third-party VPN device configurations.

Certified Configurations Devices

  • Encryption AES256; Hash SHA-256

  • DH phase 1 group 14

  • No Perfect Forward Secrecy (PFS); so no Diffie-Hellman (DH) phase 2 group

Cisco 2921

Cisco ISR 4331

Checkpoint 3200

Palo Alto 3020

FortiGate-200D

  • Encryption AES256; Hash SHA-256

  • DH phase 1 group 14; DH phase 2 group 14

Cisco 2921

Cisco ISR 4331

Checkpoint 3200

Palo Alto 3020

FortiGate-200D

  • Encryption AES128; Hash SHA-256

  • DH phase 1 group 14; no PFS

Cisco 2921

Cisco ISR 4331

Checkpoint 3200

Palo Alto 3020

FortiGate-200D

  • Encryption AES192; Hash SHA-1

  • DH phase 1 group 2, DH phase 2 group 2

Cisco ASA5505

  • Encryption AES256; Hash SHA-1

  • DH phase 1 group 5; no PFS

Cisco ISR 4331

Checkpoint 3200

Palo Alto 3020

FortiGate-200D

Other devices may work if they are configured with the certified configurations. Consider the following information while configuring your third-party device for a VPN connection.

  • Configuration Information

    • The cloud gateway used by VPNaaS uses IPSec and is behind a NAT, so network address translation traversal (NAT-T) is required. Ensure that the third-party device in your data center supports NAT-T. NAT-T requires UDP port 4500 to be open.

    • Devices must support and be configured for policy-based VPN.

    • Ensure that the same subnets are defined on the third-party device and cloud gateway.

    • IPSec configuration information

      • IPSec protocol: ESP, tunnel-mode

      • Authentication: Pre-shared keys

      • Encryption: AES-128, AES-192, AES-256

      • Hash: MD5, SHA-1, SHA-2

      • Policy Group: Diffie-Hellman groups supported are 2, 5, 14, 22, 23, 24

      • Ensure the IPSec lifetime on the cloud gateway and the third-party device are the same.

      • Set life size as unlimited. Set reasonable traffic volume limits only if traffic limits are required by the third-party device.

      • Remove idle timeout.

    • ISAKMP: IKEv1 only. If IKEv2 is enabled by default, turn it off.

    • Exchange type: Main Mode (The cloud gateway uses main mode in phase one negotiations)

    • It is highly recommended that the third-party device be configured to be responder-only as the cloud gateway ensure that the VPN tunnel is up.

    • Phase 1 IKE configuration information

      • Ensure that the IKE ID on the cloud gateway and the third-party device match.

      • Ensure the IKE lifetime on the cloud gateway and the third-party device are the same.

    • PFS: Enabled

  • HA Information

    • When HA is configured, Dead Peer Detection (DPD) must be enabled to detect when a tunnel is down.

    • When HA is configured, asymmetric routing across the tunnels that make up the VPN connection will occur. Ensure that your firewall is configured to support this. If not, traffic will not be routed reliably.

    • Switching tunnels might take 30–40 seconds.

Workflow for Setting Up a VPN Connection

Here’s the workflow to set up your VPN connection using VPNaaS:

  1. Create the IP network that you want to use for the VPN connection. See Creating an IP Network. Make a note of the name of this IP network. You’ll need to specify this IP network when you create the VPN connection.

  2. (Optional) You can access multiple IP networks over a single VPN connection, as long as all the IP networks belong to the same IP network exchange. To do this, create an IP network exchange and add all the required IP networks to the IP network exchange.

    Tip:

    If you want access to a large number of instances, it is recommended that you avoid setting up numerous IP networks with a /32 subnet. Instead, use a smaller number of IP networks with larger subnets. If you create a very large number of IP networks, a large number of IPSec security associations are required, which could cause performance degradation on some third-party devices.

    See Creating an IP Network Exchange and Adding an IP Network to an IP Network Exchange.

  3. Create a vNICset. When you create instances, specify this vNICset for each vNIC that is added to an IP network that will be reachable over the VPN connection. You’ll use this vNICset later, when you create the VPN connection. See Creating a vNICset.

  4. Create the instances that you want to access using VPN. While creating instances, add them to the IP network that will be reachable over the VPN connection. If you’ve created multiple IP networks and added them to an IP network exchange, you can add an instance to any of those IP networks. For each vNIC that is added to an IP network to be accessed over the VPN connection, specify the vNICset that you created in the previous step. See Creating Instances.

    Note:

    You can add an instance to one or more IP networks only while creating the instance. If you’ve already created an instance that doesn’t have an interface on any IP network, you won’t be able to access it over a VPN connection created by using VPNaaS. To access these instances over VPN, set up a VPN connection to the shared network using the web console. See Setting Up VPN.

    Note:

    With VPNaaS, you access instances using their private IP addresses. So you don’t have to associate a public IP address with the instance,

  5. Configure a supported third-party VPN device in your data center and make a note of the public IP address and the domain name of this gateway. You’ll need this information when you create the VPN connection.

    Device configuration varies depending on the type and model of your device. For supported configurations, see Third-Party VPN Device Configurations.

  6. Ensure that you have the pre-shared key (PSK) that you want to use for this VPN connection. You’ll need to specify the PSK when you create the VPN connection.

  7. Create the VPN connection. See Creating a VPN Connection Using VPNaaS.

    The VPN connection is listed on the VPN Connections page.

  8. You can monitor the provisioning status of your VPN connection by looking at the value of Life Cycle Status on the VPN Connections page. While your VPN connection is being configured, its Life Cycle Status is Provisioning.

    When your VPN connection is fully provisioned and configured, its Life Cycle Status changes to Ready. When your cloud VPN gateway has been created, you will see the public IP address of the gateway. Make a note of this public IP address. See Listing VPNaaS Connections.

    Note:

    It can take some time for your VPN gateway to be created and for the public IP address of the gateway to become available.

    If the VPN connection was not provisioned and the Life Cycle Status of the VPN connection remains Provisioning, you can retry to provision the VPN connection within an hour. You can also retry establishing a VPN connection that is in the Error state.

    • Go to the VPN connection. From the menu icon menu, select Retry to retry establishing the VPN connection.

  9. Update the third-party VPN device in your data center with the public IP address of your cloud VPN gateway.

  10. When the IPSec tunnel between the cloud gateway and the third-party device in your data center is established, the Tunnel status changes to Up.

    WARNING:

    The security rules and access control list required to enable traffic to the cloud VPN gateway are created automatically. The routes required to enable traffic from your cloud gateway to your IP networks are also created automatically. Ensure that you don’t accidentally modify or delete these objects, as it could break the VPN connection.

    If the IPSec tunnel is not established, view the error logs and troubleshoot the issue:

    On the VPN Connections page, from the menu icon menu, select View Event Log. See Viewing the Event Log for a VPN Connection.

  11. After the first VPN connection is created and the status shows that the connection is up, you can set up a second VPN connection to provide high availability (HA). When you create a second VPN connection with exactly the same IP network and reachable routes as an existing VPN connection, the second VPN connection is automatically recognized as the failover partner for the first VPN connection. The paired connections are also automatically configured for load balancing.

    Note:

    When you create a second VPN connection to be used as a failover partner, you don’t have to specify the same gateway in your data center for this connection. Only the IP network used by this VPN connection and the reachable routes specified must be the same. You can use either the same gateway or a different gateway in your data center. If you specify the same gateway in your data center, then active-passive HA is implemented. To implement active-active HA, specify a different gateway for each of the VPN connections.

  12. If you want to modify the list of subnets in your data center that you can access over this VPN connection, update the VPN connection.

    If you want to modify the list of IP networks in your Compute Classic site that you can access over this VPN connection, add the IP networks to or remove the IP networks from the IP network exchange, and then update the VPN connection. See Updating a VPNaaS Connection.

Creating VPN Connections Using VPNaaS

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

You can set up a VPN connection between your data center and IP networks in your Compute Classic site to provide a secure communication channel between your data center and instances that are added to IP networks in your Compute Classic account.

Prerequisites

Before you create a VPN connection, ensure that:

  • You’ve created the IP network that you want to access using this VPN connection and you’ve added it to an IP network exchange, if required.

  • You’ve created a vNICset for the vNICs that you want to access using this VPN connection, if required. Alternatively, you can use the default vNICset.

  • You’ve set up a VPN gateway in your data center and you know the public IP address, pre-shared key, and IKE ID of your gateway, as well as the subnets in your data center that you want to reach.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Creating a VPN Connection Using VPNaaS

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand VPNaaS, and then click VPN Connections.
  4. Click Create VPN Connection.
  5. Select or enter the required information:
    • Name: Enter a name for the VPN connection.
    • IP Network: Select the IP network that you want to access over this VPN connection.
    • Connected IP Networks: This field displays the IP networks that will be reachable over this VPN connection. The VPN connection allows you to access all IP networks that are added to the same IP network exchange as the specified IP networks.
    • vNICsets: Select the vNICsets that contain the vNICs that you want to access over this VPN connection. A vNIC must belong to one of the specified vNICsets and it must be part of one of the connected IP networks, to be reachable over this VPN connection.
    • Customer Gateway: Enter the public IP address of the VPN device in your data center that you want to connect to.
    • Customer Reachable Routes: Enter (in CIDR format) a comma-separated list of subnets in your data center that should be reachable using this VPN connection.
    • Pre-shared Key: The pre-shared key (PSK), is used while setting up the VPN connection to establish the authenticity of the gateway that is requesting the connection. You must enter the same key here and on the gateway in your data center. The PSK must contain only alphanumeric characters.
    • IKE ID: The Internet Key Exchange (IKE) ID is used to identify the cloud gateway on the gateway in your data center. Only IKE v1 in Main Mode is supported. The IKE ID can be the name or IP address of your cloud gateway. If you don’t specify the IKE ID, then the IP address of your cloud gateway is used by default. Alternatively, you can specify a text string that you want to use as the IKE ID. The IKE ID is case sensitive and can contain a maximum of 255 ASCII alphanumeric characters including special characters, period (.), hyphen (-), and underscore (_). The IKE ID can’t contain embedded space characters.

      Note:

      If you specify the IKE ID, ensure that you specify the Peer ID type as Domain Name on the gateway in your data center. Other Peer ID types, such as email address, firewall identifier or key identifier, aren’t supported.

    • Specify Phase 1 IKE Proposal: Select this option to specify Phase 1 IKE v1 options, if required. You can specify the following values:

      • IKE Encryption: Select the IKE encryption algorithm.

      • IKE Hash: Select the IKE hash algorithm.

      • IKE DH group: Select the Diffie Hellman (DH) group.

      • IKE Lifetime: Specify a value between 600 seconds to 9999999 seconds. The default value is 28800 seconds.

      If no values are specified, all possible values are permitted.

    • Specify Phase 2 ESP Proposal: Select this option to specify Phase 2 Encapsulating Security Payload (ESP) options, if required. You can specify the following values:

      • ESP Encryption: Select the ESP encryption algorithm.

      • ESP Hash: Select the ESP hash algorithm.

      • IPSEC Lifetime: Specify a value between 600 seconds to 9999999 seconds. The default value is 3600 seconds.

      If no values are specified, all possible values are permitted.

    • Require Perfect Forward Secrecy: This option is selected by default. If the gateway in your data center supports Perfect Forward Secrecy (PFS), retain this setting to require PFS.
    • Specify Outbound NAT: Select this option to map or NAT a local subnet of IP addresses to another subnet. The local IP address of instance is not exposed to remote applications as traffic always appears to flow through the mapped IP address. This is a useful way to organize an entire application network. An administrator can map every local subnet to a distinct set of address ranges so that there are no address conflicts. The traffic from each site can then be identified by the range into which it was mapped. It is the responsibility of the system administrator in your data center to ensure that there are no conflicts between the addresses that are specified for each subnet. The maximum number of /32 mapping entries is limited to 50 and other IP prefix mapping entries is limited 30.

      • From IP Prefix: Enter the IP address prefix, in CIDR format, of the IP network that you want to add as a subnet of the VPN connection. You can’t enter a wider range of the IP address prefix that’s associated with an IP network, but you can enter a narrower or granular range of the IP address prefix. For example, if the IP address prefix of an IP network is 10.1.1.0/24, then you can enter 10.1.1.0/24 or a narrower range 10.1.1.0/28 but you can’t enter a wider range such as 10.1.1.0/16.

        If you enter a narrower range of the IP address prefix that’s associated with an IP network, only the specified IP address prefix is added to the VPN subnet with NAT enabled and the corresponding IP network is not added as a subnet of the VPN.

      • To IP Address: Enter an IP address to which you want to translate or map the specified IP address prefix. To remote applications traffic always appears to flow through the IP address you specify.

        Although you don't enter the subnet mask for this IP address, it is assigned the same subnet mask that you have specified in the From IP Prefix text box.

      To add a narrower range of an IP address prefix of an IP network as a VPN subnet without enabling NAT for this subnet, add the same values in the From IP Prefix text box and the To IP Address text box. For example, if you enter 10.1.2.0/24 in the From IP Prefix text box, then enter 10.1.2.0 in the To IP Address text box.

      Note:

      If you’ve entered narrower range of IP address prefixes for the IP network that is directly attached to the VPN connection (that’s the IP network you’ve selected in the IP Network drop-down list), check if the first IP address of the directly attached IP network is included in one of the narrower range prefixes. If the first IP address of the IP network is not included, you must create a separate entry under Specify Outbound NAT to NAT this IP address. For example, let’s consider that the IP address prefix of an IP network is 10.1.1.0/24. To NAT the first IP address of the IP network, enter 10.1.1.1/32 for From IP Prefix and 10.1.1.1 for To IP Address. This setting manages traffic between cloud gateway and cloud hypervisor.

      You must also add the first IP address, for example 10.1.1.1/32, to the remote encryption subnet list of the third-party device in your data center to establish the VPN tunnel.

    • Description: Enter a description.
    • Tags: Specify one or more tags to help you identify and categorize the VPN connection.
  6. Click Create.

The VPN connection is listed on the VPN Connections page. You can monitor the provisioning status of your VPN connection by looking at the value of Life Cycle Status on the VPN Connections page. While your VPN connection is being configured, its Life Cycle Status is Provisioning.

When your VPN connection is fully provisioned and configured, its Life Cycle Status changes to Ready. When your cloud VPN gateway has been created, you will see the public IP address of the gateway.

If the VPN connection was not provisioned and the VPN connection remains in the Provisioning state, you can retry to provision the VPN connection within an hour. On the VPN Connections page, go to the VPN connection that is in the Provisioning state. From the menu icon menu, select Retry. You can also retry establishing a VPN connection that is in the Error state.

Other Ways of Creating a VPN Connection Using VPNaaS

To create a VPN connection using the CLI, use the opc compute vpn-endpoint-v2 add command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To create a VPN connection using the API, use the POST /vpnendpoint/v2/ method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

Viewing the Event Log for a VPN Connection

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

If the VPN connection between the cloud gateway and the third-party device in your data center is not established or if the IPSec tunnel goes down, you can view the event log to identify and troubleshoot the issues. This log provides information about the tunnel events.

Prerequisites

  • To complete this task, you must have the Compute_Monitor or Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand VPNaaS, and then click VPN Connections.
  4. Go to the VPN connection that you want to update. From the menu icon menu, select View Event Log.
    The event log for the last 72 hours is displayed, with the most recent events listed first.
  5. Click Download to download the event log to identify and troubleshoot the issues.

Listing VPNaaS Connections

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After you’ve created a VPN connection using VPNaaS, you can view your existing connections and see information about the status of the connection and connected IP networks, as well as the gateway in your data center and the on-premises subnets that you are connecting to.

Prerequisites

  • To complete this task, you must have the Compute_Monitor or Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand VPNaaS, and then click VPN Connections.
The VPN Connections page shows a list of VPN connections, along with information about each connection and its current status.

To list VPN connections using the CLI, use the opc compute vpn-endpoint-v2 list command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To list VPN connections using the API, use the GET /vpnendpoint/v2/container method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

Updating a VPNaaS Connection

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After creating a VPN connection using VPNaaS, you can update the subnets in your data center that you want to access using this VPN connection. You can also modify the public IP address of your network gateway, pre-shared key, description, and tags. If you want to modify the list of IP networks in your Compute Classic site that you can access over this VPN connection, first add or remove the IP networks from the IP network exchange, and then update the VPN connection.

Prerequisites

  • If you want to add IP networks that you can access using an existing VPN connection, you must have created the new IP networks and added them to the same IP network exchange. See Creating an IP Network Exchange and Creating an IP Network.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand VPNaaS, and then click VPN Connections.
  4. Go to the VPN connection that you want to update. From the menu icon menu, select Update.
  5. Update the information as required:
    • Customer Reachable Routes: Update the list of subnets in your data center that should be reachable using this VPN connection.
    • Pre-shared Key: Update the pre-shared key (PSK), used while setting up the VPN connection. You must enter the same key here and on the gateway in your data center. The PSK must contain only alphanumeric characters.
    • IKE ID: Update the Internet Key Exchange (IKE) ID, used to identify the cloud gateway on the gateway in your data center. Only IKE v1 in Main Mode is supported. The IKE ID can be the name or IP address of your cloud gateway. If you don’t specify the IKE ID, then the IP address of your cloud gateway is used by default. Alternatively, you can specify a text string that you want to use as the IKE ID. The IKE ID is case sensitive and can contain a maximum of 255 ASCII alphanumeric characters including special characters, period (.), hyphen (-), and underscore (_). The IKE ID can’t contain embedded space characters.

      Note:

      If you specify the IKE ID, ensure that you specify the Peer ID type as Domain Name on the gateway in your data center. Other Peer ID types, such as email address, firewall identifier or key identifier, aren’t supported.

    • Specify Phase 1 IKE Proposal: Update this option to specify Phase 1 IKE v1 options, if required. You can specify the following values:

      • IKE Encryption: The IKE encryption algorithm.

      • IKE Hash: The IKE hash algorithm.

      • IKE DH group: The Diffie Hellman (DH) group.

      • IKE Lifetime: Update to a value between 600 seconds to 9999999 seconds. The default value is 28800 seconds.

      If no values are specified, all possible values are permitted.

    • Specify Phase 2 ESP Proposal: Update this option to specify Phase 2 Encapsulating Security Payload (ESP) options, if required. You can specify the following values:

      • ESP Encryption: The ESP encryption algorithm.

      • ESP Hash: The ESP hash algorithm.

      • IPSEC Lifetime: Update to a value between 600 seconds to 9999999 seconds. The default value is 3600 seconds.

      If no values are specified, all possible values are permitted.

    • Require Perfect Forward Secrecy: This option is selected by default. If the gateway in your data center supports Perfect Forward Secrecy (PFS), retain this setting to require PFS.
    • Specify Outbound NAT: Select this option to map or NAT a local subnet of IP addresses to another subnet. The local IP address of instance is not exposed to remote applications as traffic always appears to flow through the mapped IP address. This is a useful way to organize an entire application network. An administrator can map every local subnet to a distinct set of address ranges so that there are no address conflicts. The traffic from each site can then be identified by the range into which it was mapped. It is the responsibility of the system administrator in your data center to ensure that there are no conflicts between the addresses that are specified for each subnet. The maximum number of /32 mapping entries is limited to 50 and other IP prefix mapping entries is limited 30.

      • From IP Prefix: Enter the IP address prefix, in CIDR format, of the IP network that you want to add as a subnet of the VPN connection. You can’t enter a wider range of the IP address prefix that’s associated with an IP network, but you can enter a narrower or granular range of the IP address prefix. For example, if the IP address prefix of an IP network is 10.1.1.0/24, then you can enter 10.1.1.0/24 or a narrower range 10.1.1.0/28 but you can’t enter a wider range such as 10.1.1.0/16.

        If you enter a narrower range of the IP address prefix that’s associated with an IP network, only the specified IP address prefix is added to the VPN subnet with NAT enabled and the corresponding IP network is not added as a subnet of the VPN.

      • To IP Address: Enter an IP address to which you want to translate or map the specified IP address prefix. To remote applications traffic always appears to flow through the IP address you specify.

        Although you don't enter the subnet mask for this IP address, it is assigned the same subnet mask that you have specified in the From IP Prefix text box.

      To add a narrower range of an IP address prefix of an IP network as a VPN subnet without enabling NAT for this subnet, add the same values in the From IP Prefix text box and the To IP Address text box. For example, if you enter 10.1.2.0/24 in the From IP Prefix text box, then enter 10.1.2.0 in the To IP Address text box.

      Note:

      If you’ve entered narrower range of IP address prefixes for the IP network that is directly attached to the VPN connection or the IP network you’ve selected in the IP Network drop-down box, check if the first IP address of the directly attached IP network is included in one of the narrower range prefixes. If the first IP address of the IP network is not included, you must create a separate entry under Specify Outbound NAT to NAT this IP address. For example, let’s consider that the IP address prefix of an IP network is 10.1.1.0/24. To NAT the first IP address of the IP network, enter 10.1.1.1/32 for From IP Prefix and 10.1.1.1 for To IP Address. This setting manages traffic between cloud gateway and cloud hypervisor.

      You must also add the first IP address, for example 10.1.1.1/32, to the remote encryption subnet list of the third-party device in your data center to establish the VPN tunnel.

    • Description: Enter a description.
    • Tags: Specify one or more tags to help you identify and categorize the VPN connection.

    Note:

    If you’ve added the specified IP network to an IP network exchange, or if you’ve added IP networks to the IP network exchange or removed IP networks from the IP network exchange, the Update dialog box displays these changes automatically.

  6. Click Update.
    When an update operation performed by VPNaaS is in progress, the lifecycle status changes to Updating. After the update is complete, the status transitions to Ready or Error.

To update a VPN connection using the CLI, use the opc compute vpn-endpoint-v2 update command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To update a VPN connection using the API, use the PUT /vpnendpoint/v2/name method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

Deleting a VPNaaS Connection

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

If you no longer need a VPN connection, you can delete it. Deleting a VPN connection is useful if, for example, you want to modify the list of vNICsets that should be reachable over the VPN connection.

Prerequisites

  • If you have created two VPN connections to provide failover, the second connection must be deleted before deleting the first connection.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand VPNaaS, and then click VPN Connections.
  4. Go to the VPN connection that you want to delete. From the menu icon menu, select Delete.

To delete a VPN connection using the CLI, use the opc compute vpn-endpoint-v2 delete command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To delete a VPN connection using the API, use the DELETE /vpnendpoint/v2/name method. For more information, see REST API for Oracle Cloud Infrastructure Compute Classic.

When a delete operation performed by VPNaaS is in progress, the lifecycle status changes to Deleting. After the delete operation is complete, the status transitions to Ready or Error.

Note:

It might take about 15 minutes for the delete operation to complete.

VPNaaS Connection to other Environments

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

Use VPNaaS to connect to your Compute Classic instances from another Oracle Cloud account or to connect an Oracle cloud environment to other cloud services.

Procedure

  1. Create a VPN connection (VPN–1) and wait till the status changes to Ready. For instructions to create a VPN connection, see Creating VPN Connections Using VPNaaS.

    Note:

    Enter a temporary IP in the Customer Gateway field.

  2. Note down the Public IP address (Public-IP-1) of VPN–1.

  3. Create the remote end VPN connection (VPN–2) and wait till the status changes to Ready. For instructions to create a VPN connection, see Creating VPN Connections Using VPNaaS.

    Note:

    In the Customer Gateway field, enter the Public IP Address (Public-IP-1) of VPN–1, which you noted down in step 2.

  4. Note down the Public IP address (Public-IP-2) of VPN–2.

  5. Go to VPN–1 connection that you created in step 1 and update the Customer Gateway field with the Public IP Address (Public-IP-2), which you noted down in step 4.