Create a VPN Endpoint V2
/vpnendpoint/v2/
Creates an IPSec VPN connection from Oracle Cloud to your data centers using VPN as a Service (VPNaaS).
Note: You can use VPNaaS to set up a tunnel to instances that are on IP networks. However, VPNaaS doesn't support VPN connections to instances that don't have any interface on IP networks. To establish a VPN tunnel to instances that are on the shared network, follow the steps for creating a single-homed Corente Services Gateway instance in Setting Up VPN in Using Oracle Cloud Infrastructure Compute Classic.
Prerequisites
Ensure that you complete the following tasks and noted the required information before creating a VPN connection.
* Create an IP network or use an existing IP network. See Creating an IP Network in Using Oracle Cloud Infrastructure Compute Classic. Make a note of the name of this IP network.
* Configure a supported third-party VPN device at your data center and make a note of the public IP address of this gateway. The third-party VPN device must be ready for the VPN connection to be established. For information about certified third-party VPN device configurations, see About Setting Up VPN in Using Oracle Cloud Infrastructure Compute Classic.
* Ensure that you have the pre-shared key (PSK) that you want to use for this VPN connection.
* Create a vNICset. When you create instances, specify this vNICset for each vNIC that is added to an IP network that will be reachable over the VPN connection. See Creating a vNICset in Using Oracle Cloud Infrastructure Compute Classic.
While your VPN connection is being configured, its status is PENDING
. It can take around 20 to 30 minutes for your VPN gateway to be created. When the cloud VPN gateway is created, the localGatewayAddress
parameter provides its public IP address. To monitor the status of your VPN connection and retrieve the public IP address of the cloud VPN gateway, send the GET /vpnendpoint/v2/{name} request. You'll have to update the third-party VPN device in your data center with the public IP address of your cloud VPN gateway. If the third-party device in your data center is configured and ready, the VPN connection is established. The value of the tunnelStatus
parameter changes to UP
when the connection is established.
Required Role: To complete this task, you must have the Compute_Operations
role. If this role isn't assigned to you or you're not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.
Request
- application/oracle-compute-v3+json
-
Cookie: string
The Cookie: header must be included with every request to the service. It must be set to the value of the set-cookie header in the response received to the POST /authenticate/ call.
object
-
customer_vpn_gateway:
string
Specify the IP address of the VPN gateway in your data center through which you want to connect to the Oracle Cloud VPN gateway. Your gateway device must support policy-based VPN and IKE (Internet Key Exchange) configuration using pre-shared keys.
-
description(optional):
string
Description of the object.
-
ikeIdentifier(optional):
string
The Internet Key Exchange (IKE) ID. If you don't specify a value, the default value is the public IP address of the cloud gateway. You can specify either an alternative IP address, or any text string that you want to use as the IKE ID. If you specify a text string, you must prefix the string with @. For example, if you want to specify the text IKEID-for-VPN1, specify
@IKEID-for-VPN1
as the value in request body. If you specify an IP address, don't prefix it with @. The IKE ID is case sensitive and can contain a maximum of 255 ASCII alphanumeric characters including special characters, period (.), hyphen (-), and underscore (_). The IKE ID can't contain embedded space characters.Note: If you specify the IKE ID, ensure that you specify the Peer ID type as Domain Name on the third-party device in your data center. Other Peer ID types, such as email address, firewall identifier or key identifier, aren't supported.
-
ipNetwork:
string
Specify the three-part name of the IP network (
/Compute-identity_domain/user/object
) in which you want to create the cloud gateway. When you send a request to create a VPN connection, a cloud gateway is created and this is assigned an available IP address from the IP network that you specify. So, the cloud gateway is directly connected to the IP network that you specify.You can only specify a single IP network. All other IP networks which are connected to the specified IP network through an IP network exchange are discovered and added automatically to the VPN connection.
-
name:
string
The three-part name (
/Compute-identity_domain/user/object
) of the VPN connection. Object names can contain only alphanumeric, underscore (_), dash (-), and period (.) characters. Object names are case-sensitive. -
pfsFlag(optional):
boolean
This is enabled (set to
true
) by default. If your third-party device supports Perfect Forward Secrecy (PFS), set this parameter totrue
to require PFS. -
phase1Settings(optional):
object phase1Settings
Additional Properties Allowed: additionalPropertiesSettings for Phase 1 of protocol (IKE). See below for object members.
phase1Settings.encryption: Encryption options for IKE. Possible values are
aes128
,aes192
,aes256
. Default is combination of all possible values.phase1Settings.hash: Authentication options for IKE. Possible values are
sha1
,sha2_256
,md5
. Default is combination of all possible values.phase1Settings.dhGroup: Diffie-Hellman group for both IKE and ESP. It is applicable for ESP only if PFS is enabled. Possible values are
group2
,group5
,group14
,group22
,group23
,group24
. Default is combination of all possible values -
phase2Settings(optional):
object phase2Settings
Additional Properties Allowed: additionalPropertiesSettings for Phase 2 of protocol (IPSEC).See below for object members.
phase2Settings.encryption: Encryption options for IKE. Possible values are
aes128
,aes192
,aes256
. Default is combination of all possible values.phase2Settings.hash: Authentication options for IKE. Possible values are
sha1
,sha2_256
,md5
. Default is combination of all possible values. -
psk:
string
Pre-shared VPN key. Enter the pre-shared key. This secret key is shared between your network gateway and the Oracle Cloud network for authentication. Specify the full path and name of the text file that contains the pre-shared key. Ensure that the permission level of the text file is set to 400. The pre-shared VPN key must not exceed 256 characters.
-
reachable_routes:
array reachable_routes
Specify a list of customer subnets (CIDR prefixes) that are reachable through this VPN tunnel. You can specify a maximum of 20 IP subnet addresses. Specify IPv4 addresses in dot-decimal notation with or without mask.
-
tags(optional):
array tags
Tags associated with the object.
-
vnicSets(optional):
array vnicSets
Comma-separated list of vNIC sets. Traffic is allowed to and from these vNIC sets to the cloud gateway's vNIC set.
object
phase1Settings.encryption: Encryption options for IKE. Possible values are aes128
, aes192
, aes256
. Default is combination of all possible values.
phase1Settings.hash: Authentication options for IKE. Possible values are sha1
, sha2_256
, md5
. Default is combination of all possible values.
phase1Settings.dhGroup: Diffie-Hellman group for both IKE and ESP. It is applicable for ESP only if PFS is enabled. Possible values are group2
, group5
, group14
, group22
, group23
, group24
. Default is combination of all possible values
object
phase2Settings.encryption: Encryption options for IKE. Possible values are aes128
, aes192
, aes256
. Default is combination of all possible values.
phase2Settings.hash: Authentication options for IKE. Possible values are sha1
, sha2_256
, md5
. Default is combination of all possible values.
array
array
object
object
Response
- application/oracle-compute-v3+json
202 Response
-
set-cookie: string
The cookie value is returned if the session is extended
object
-
customer_vpn_gateway(optional):
string
IP address of the VPN gateway in your data center through which you want to connect to the Oracle Cloud VPN gateway.
-
description(optional):
string
Description of the object.
-
ikeIdentifier(optional):
string
The Internet Key Exchange (IKE) ID that you have specified. If you don't specify a value, the default value is the public IP address of the cloud gateway.
-
ipNetwork(optional):
string
The name of the IP network on which the cloud gateway is created by VPNaaS.
-
localGatewayAddress(optional):
string
IP address of your cloud gateway. An IP address that is available in the IP network you specify is assigned to the cloud gateway.
-
name(optional):
string
Name that you have specified for this VPN connection.
-
pfsFlag(optional):
boolean
True
indicates that Perfect Forward Secrecy (PFS) is required and your third-party device supports PFS. -
phase1Settings(optional):
object phase1Settings
Additional Properties Allowed: additionalPropertiesSettings for Phase 1 of protocol (IKE).
-
phase2Settings(optional):
object phase2Settings
Additional Properties Allowed: additionalPropertiesSettings for Phase 2 of protocol (IPSEC).
-
psk(optional):
string
The pre-shared VPN key.
-
reachable_routes(optional):
array reachable_routes
List of subnets (CIDR prefixes) that are reachable through this VPN tunnel.
-
tags(optional):
array tags
Tags associated with the object.
-
tunnelStatus(optional):
string
Current status of the tunnel. The tunnel can be in one of the following states:
* PENDING: indicates that your VPN connection is being set up.
* UP: indicates that your VPN connection is established.
* DOWN: indicates that your VPN connection is down.
* ERROR: indicates that your VPN connection is in the error state.
-
uri(optional):
string
Uniform Resource Identifier.
-
vnicSets(optional):
array vnicSets
Comma-separated list of vNIC sets. Traffic is allowed to and from these vNIC sets to the cloud gateway's vNIC set.
object
object
array
array
object
object
Examples
cURL Command
The following example shows how to create a VPN endpoint by submitting a POST request on the REST resource using cURL. For more information about cURL, see Use cURL.
Enter the command on a single line. Line breaks are used in this example for readability.
curl -i -X POST -H "Cookie: $COMPUTE_COOKIE" -H "Content-Type: application/oracle-compute-v3+json" -H "Accept: application/oracle-compute-v3+json" -d "@vpnconnection.json" https://api-z999.compute.us0.oraclecloud.com/vpnendpoint/v2/
-
COMPUTE_COOKIE
is the name of the variable in which you stored the authentication cookie earlier. For information about retrieving the authentication cookie and storing it in a variable, see Authentication. -
api-z999.compute.us0.oraclecloud.com
is an example REST endpoint URL. Change this value to the REST endpoint URL of your Compute Classic site. For information about finding out REST endpoint URL for your site, see Send Requests. -
After creating the JSON file, you should validate it. You can do this by using a third-party tool, such as JSONLint, or any other validation tool of your choice. If your JSON format isn???t valid, then an error message is displayed when you pass the request body.
Example of Request Body
The following shows an example of the request body content in the vpnconnection.json
file with values for optional parameters, such as phase1Settings
and phase2Settings
.
{ "psk": "*****", "name": "/Compute-acme/jack.jones@example.com/vpnconnection2", "customer_vpn_gateway": "172.16.254.1", "ipNetwork": "/Compute-acme/jack.jones@example.com/ipnet2", "reachable_routes": [ "10.1.2.0/24", "10.1.3.0/24", "10.1.4.0/24" ], "vnicSets": [ "/Compute-acme/jack.jones@example.com/vnicset2" ], "phase1Settings": { "encryption": "aes128", "hash": "sha1", "dhGroup": "group2" }, "phase2Settings": { "encryption": "aes256", "hash": "md5" } }
Example of Response Body
The following example shows the response body in JSON format.
{
"uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/vpnendpoint/Compute-acme/jack.jones@example.com/vpnconnection2",
"tunnelStatus": "PENDING",
"psk": "*****",
"name": "/Compute-acme/jack.jones@example.com/vpnconnection2",
"reachable_routes": [
"10.1.2.0/24",
"10.1.3.0/24",
"10.1.4.0/24"
],
"pfsFlag": true,
"vnicSets": [
"/Compute-acme/jack.jones@example.com/vnicset2"
],
"customer_vpn_gateway": "172.16.254.1",
"ipNetwork": "/Compute-acme/jack.jones@example.com/ipnet2",
"phase1Settings": {
"encryption": "aes128",
"hash": "sha1",
"dhGroup": "group2"
},
"phase2Settings": {
"encryption": "aes256",
"hash": "md5"
}
}