Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud

5 Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud

To complete the VPN setup, configure a GRE tunnel between your guest instances in Oracle Cloud and your Corente Services Gateway instance in Oracle Cloud.

Topics

Oracle Cloud services certified to use Corente-based VPN solutions

You can configure a GRE tunnel only on instances of the following Oracle Cloud services:

Oracle Cloud Infrastructure Compute Classic
Oracle Database Cloud Service
Oracle Java Cloud Service

Creating a New Linux Instance and Configuring a GRE Tunnel

You must configure a Generic Routing Encapsulation (GRE) tunnel on your Compute Classic instances to complete the VPN setup.

Follow the instructions provided in this section to create a guest instance using the provided corente-guest-launchplan.json template and configure a GRE tunnel on the newly created guest instance. To set up a GRE tunnel on running instances, see Configuring a GRE Tunnel on Running Linux Instances.

Create a Linux Client Compute Cloud Service Instance

Create your guest instance using the sample orchestration, corente-guest-launchplan.json.

Create a bootable storage volume. Use an image that is Oracle Linux 6.6 or later versions as only these versions support GRE tunneling. See Creating a Bootable Storage Volume in Using Oracle Cloud Infrastructure Compute Classic.

Note:

A persistent boot disk is required to retain data and patches that are applied to your instance.
Download the sample orchestration, corente-guest-launchplan.json, to create a guest instance. This sample orchestration is included in the greconf_orchsamples.zip file at the following location:

http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html
Modify values in the sample orchestration file based on your environment. While modifying corente-guest-launchplan.json, take care of the following requirements:
- Ensure that you create the guest instance using the bootable storage volume you have created in step 1.
- The client instance and the gateway instance should be in the same security list.
  
  In this example, a Compute instance in the Corente network is assigned to an internal security list, vpn-CSG1-secrules.
- Ensure that the ha_policy of the orchestration is set to active.
- The GRE tunnel addresses (both local and cloud gateway) should not be in the 10.x.x.x subnet.
- If you have set up the VPN connection using the Compute Classic user interface, specify the default value 172.16.254.1.
Upload the modified orchestration to Compute Classic, and then start the orchestration. For information about uploading and starting an orchestration, see Managing Orchestrations in Using Oracle Cloud Infrastructure Compute Classic.
After creating the instance ensure that the instance is running.
Note the DNS hostname assigned to the cloud gateway instance. You will need this hostname later, when running the configuration script. This is needed for HA. The cloud gateway hostname is automatically populated, and should point to the private IP address of the cloud gateway.

Sample Orchestration with Corente Tunnel Arguments

{
  "name": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest-instance",
  "label": "corente-guest",
  "description": "Corente guest instance",
  "oplans": [
    {
      "obj_type": "launchplan",
      "label": "corente-guest-launchplan-1",
      "ha_policy: "active",
      "objects": [
        {
          "instances": [
            {
              "name": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest",
              "networking": {
                "eth0": {
                  "model": "e1000",
                  "dns": [
                    "corente-guest"
                  ],
                  "seclists": [
                    "/Compute-myIdentityDomain/john.doe@example.com/vpn-CSG1-secrules"
                  ],
                  "nat": "ippool:/oracle/public/ippool"
                }
              },
              "boot_order": [
                1
              ],
              "storage_attachments": [
                {
                  "index": 1,
                  "volume": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest-boot-vol"
                }
              ],
              "label": "corente-guest",
              "shape": "oc3",
              "attributes": {
                "userdata": {
                  "corente-tunnel-args": "--local-tunnel-address=172.16.1.4 --csg-hostname=c9fcb5.compute-acme.oraclecloud.internal. --csg-tunnel-address=172.16.254.1 --onprem-subnets=10.2.3.0/24,10.3.2.0/24"
                }
              },
              "sshkeys": [
                "/Compute-myIdentityDomain/john.doe@example.com/adminkey"
              ]
            }
          ]
        }
      ]
    }
  ]
}

Create a GRE Tunnel

To create a GRE tunnel on your newly created Compute Classic instances:

SSH to the instance where you want to create a GRE tunnel.
Download the oc-config-corente-tunnel script onto this instance. This script is included in Greconf_orchsamples.zip file which is available at the following location:

http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html
Extract the contents of the greconf_orchsamples.zip file.
After extracting, copy the oc-config-corente-tunnel file from the Config and Orchestration directory to the /usr/bin directory.

Note:

You'll need superuser privileges to copy to /usr/bin.
Make the oc-config-corente-tunnel script executable:
```
sudo chmod 550 oc-config-corente-tunnel
```

Run the oc-config-corente-tunnel script:

sudo bash /usr/bin/oc-config-corente-tunnel

Add the following entry to /etc/rc.local so that the script runs automatically every time the instance boots:
```
bash /usr/bin/oc-config-corente-tunnel
```

About Configuration Script Arguments

The oc-config-corente-tunnel configuration script accepts arguments from the userdata attribute corente-tunnel-args in a launch plan (refer to corente-guest-launchplan.json). The value of that attribute should be in the form of a command line with the following syntax (showing only required arguments):

--local-tunnel-address=<addr> --csg-hostname=<hostname> --csg-tunnel-address=<addr> --onprem-subnets=<subnet_cidrs>

Parameter	Description	Example
`csg-hostname`	The host name of the cloud gateway instance is based on the value specified for the VPN gateway name while creating the cloud gateway. To identify this name, see the Instances page in the Compute Classic web console. Mandatory. No default value. No limit. The value for this parameter should follow the format: `hostName.compute-myIdentityDomain.oraclecloud.internal.`	`csg1.compute-acme.oraclecloud.internal.`
`csg-tunnel-address`	If you have set up the VPN connection using theCompute Classic user interface, specify the default value `172.16.254.1`. Mandatory.	`172.16.254.1`
`local-tunnel-address`	GRE tunnel address of the Compute instance. Local address of the GRE tunnel to Corente Services Gateway instance on the Cloud. Specify the IP address that you want to assign to the GRE interface on the Linux instance. This IP address will be used to communicate with Corente Services Gateway, instances in your on-premise environment, and other IP addresses you define. Specify an IP address from the `172.16.1.0/24` subnet. Mandatory. No default value.	`172.16.1.4`
`onprem-subnets`	List of on-premise networks participating in VPN. This should be in the form of one or more comma-separated CIDRs. Mandatory. No default value. No limit.	`10.2.3.0/24,10.3.2.0/24`
`ping-count`	Number of pings of the cloud gateway tunnel end point in one iteration of health check. Optional. Default is 3. 2 is minimum.	`5`
`ping-timeout`	Timeout for each of the pings to the cloud gateway (in seconds). Optional. Default is 2. 1 is minimum.	`1`
`ping-interval`	Interval between pings to the cloud gateway (in seconds). Optional. Default is 10. 3 is minimum.	`3`

Configuring a GRE Tunnel on Running Linux Instances

You can set up a GRE tunnel to the Corente Services Gateway on existing instances of Compute Classic instances. You can use the procedure described in this chapter to set up a GRE tunnel on running Linux instances without having to restart orchestrations.

Ensure that the service instance on Oracle Cloud (where the GRE script runs) and the cloud gateway instance (the one it is paired with) are part of the same security list.

Do the following:

Install dig utility if it is not available. The dig utility is used for DNS resolution.
```
yum install bind-utils
```
Create opc-compute directory in /var/log for Corente log files.
```
cd /var/log
mkdir opc-compute
```
Go to the /usr/bin directory.
```
cd /usr/bin
```
Ensure that the script is executable. Run the following command:
```
sudo chmod 550 oc-config-corente-tunnel
```
Run the following commands:
```
$ sudo bash
$ nohup ./oc-config-corente-tunnel --local-tunnel-address=172.16.2.2 --csg-hostname=csgdbaas-1.root.oraclecloud.internal --csg-tunnel-address=172.16.254.1 --onprem-subnets=192.168.39.0/24 &
```
Note:
You may have to wait up to 1 minute before the GRE tunnel is up.

For a description of the configuration parameters, see About Configuration Script Arguments.

Note:
Customize the command-line parameters, as needed (same syntax as the corente-tunnel-args userdata attribute). You must run the script in background, as the script won’t exit.
Verify that the GRE tunnel is functional by running the ping command to any live IP address within your data center network directly.

Add the following entry to the /etc/rc.local file.

nohup bash /usr/bin/oc-config-corente-tunnel --local-tunnel-address=172.16.2.2 --csg-hostname=csgdbaas-1.root.oraclecloud.internal --csg-tunnel-address=172.16.254.1 --onprem-subnets=192.168.39.0/24 &

Note:

Customize the command-line parameters, as needed. The values of the parameters should match what you entered in step 4.