Oracle Cloud Infrastructure Documentation

Site-to-Site VPN Wizard

The Site-to-Site VPN wizard is the quickest way to set up a site-to-site VPN between an on-premises network and a virtual cloud network (VCN) . The wizard is a guided, step-by-step process in the Console that sets up the VPN plus related Networking service components.

Other secure VPN solutions include OpenVPN, a Client VPN solution that can be accessed in the Oracle Marketplace. OpenVPN connects individual devices to a VCN, but not whole sites or networks.

Purpose of the Wizard

Site-to-Site VPN involves setting up and configuring several Networking service components. The wizard sets up those components for you. In general, the wizard does the following:

  • Uses a template with assumptions that helps you get started.
  • Asks you for some basic network information.
  • Sets up the Networking service components for you.
  • Lets you generate configuration content for a network engineer to use when configuring a customer-premises equipment (CPE) device.

The wizard is a task within the overall process of setting up Site-to-Site VPN, which is illustrated in the following diagram. The wizard is the shaded box.

This image shows a flow diagram of the overall Site-to-Site VPN setup process.

Notice that the overall process includes work by an on-premises network engineer. That engineer provides information that you, in turn, must supply when running the wizard. The wizard returns information that the network engineer needs when configuring the CPE device. You can use the CPE Configuration Helper to provide the necessary information to the network engineer.

The following short sections summarize each task.

Task 1: Information to get from the network engineer
  • CPE device's public IP address. (The address must be IPv4, but IPv6 traffic is supported)
  • CPE vendor. model, and version
  • CPE IKE identifier. For more information, see Overview of Site-to-Site VPN Components.
  • On-premises network routes.
  • If you use BGP dynamic routing with the VPN:
    • The on-premises network's BGP ASN
    • For each of the two IPSec tunnels that are created, the pair of BGP IP addresses (with subnet mask) that you want to use for the inside tunnel interfaces at the ends of each tunnel. For example:
      • Tunnel 1: Inside tunnel interface - CPE: 10.0.0.16/31
      • Tunnel 1: Inside tunnel interface - Oracle: 10.0.0.17/31
      • Tunnel 2: Inside tunnel interface - CPE: 10.0.0.8/31
      • Tunnel 2: Inside tunnel interface - Oracle: 10.0.0.9/31
Task 2: Wizard

You walk through the wizard in the Console. For more information, see these sections:

Task 3: Information to give to the network engineer

You use the CPE Configuration Helper to generate configuration content that the network engineer can use to configure the CPE.

The content includes these items:

  • The Oracle VPN IP address and shared secret for each IPSec tunnel.
  • The supported IPSec parameter values.
  • Information about the VCN.
  • CPE-specific configuration information.
Task 4: CPE configuration

The network engineer takes the information you provide and configures the CPE device.

Task 5: Testing

You and the network engineer test the connection and confirm that traffic is flowing.

Alternative to the Wizard

If you prefer, you can manually set up Site-to-Site VPN yourself. For step-by-step instructions, see Setting Up Site-to-Site VPN.

What the Wizard Creates for You

Most Oracle customers who set up Site-to-Site VPN already have a VCN to connect to their on-premises network. In that case, the wizard creates the numbered components in the following diagram. The table describes each component.

This image shows the Networking service components that are created for you.
Number Component Description Can Use Existing One or Create New One?
1 CPE A CPE is a virtual representation of the actual CPE device. This virtual representation contains basic information such as the CPE device's public IP address. Yes, you can either use an existing CPE or the wizard creates a new one.
2 IPSec tunnels

The wizard creates two IPSec tunnels, each with specific configuration information that you must provide to a network engineer.

Note: The wizard uses IKEv1 or IKEv2 for the tunnels. For more information on IKEv2, see Using IKEv2.

 No. The wizard automatically creates the tunnels.
3 Dynamic Routing Gateway (DRG) A DRG is a virtual representation of the actual router at the Oracle end of the Site-to-Site VPN. Yes.
4 Internet Gateway

If the VCN you select doesn't already have an Internet Gateway, you can let the wizard create one to enable direct connectivity to the internet.

Yes, you can either use an existing internet gateway or let the wizard create a new one.
5 Subnet Route table
Destination CIDR Route Target
10.0.0.0/16 DRG
Note

To create any new resource the service limit for that resource must not already have been reached. After the service limit for a resource type has been reached, you can either remove unused resources of that type or request a service limit increase.

In addition, during the wizard you specify which subnets in the VCN to configure with access to the on-premises network. The wizard updates each subnet's route table and security rules as follows:

  • Route rules: The wizard adds one or more rules to route VCN traffic to an on-premises network by way of the DRG. You need to provide one rule per on-premises network route in the wizard. If the VCN has an internet gateway (or if you create one) and a public subnet is selected, the wizard also adds a rule to send remaining traffic (not destined for the on-premises network) to the internet gateway.
  • Security list rules: The wizard also adds one or more rules to allow all types of traffic from an on-premises network. You need to provide one rule per on-premises network route in the wizard. If the VCN has an internet gateway (or you create one) and a public subnet is selected, the wizard also adds a rule to allow SSH over port 22 from the internet.

You can edit the rules and add more if you want.

After the wizard completes, you can use the CPE Configuration Helper to generate configuration content that the on-premises network engineer can use to configure the CPE.

Where to Access the Wizard in the Console

To access this wizard from the Networking Overview page:

  1. Open the navigation menu, select Networking, and then select Overview.
  2. In the Add internet connectivity and Site-to-Site VPN to a VCN section, select Start VCN wizard.

To access this wizard from the Virtual cloud networks list page:

  1. Open the navigation menu , select Networking, and then select Virtual cloud networks.
  2. On the Virtual cloud networks list page, perform one of the following actions depending on the option that you see:
    • Select the Actions button, and then select Start VCN Wizard.
    • Select Start VCN Wizard.
  3. Select Add Site-to-Site VPN and Internet Connectivity to a VCN, and then select Start VCN Wizard.

To access this wizard from the Site-to-Site VPN list page:

  1. Open the navigation menu  and select Networking. Under Customer connectivity, select Site-to-Site VPN.
  2. Select Start VPN Wizard.