Create a VPN Endpoint V2

post

/vpnendpoint/v2/

This endpoint is not available on Oracle Cloud Machine.

Creates an IPSec VPN connection from Oracle Cloud to your data centers using VPN as a Service (VPNaaS).

Note: You can use VPNaaS to set up a tunnel to instances that are on IP networks. However, VPNaaS doesn't support VPN connections to instances that don't have any interface on IP networks. To establish a VPN tunnel to instances that are on the shared network, follow the steps for creating a single-homed Corente Services Gateway instance in Setting Up VPN in Using Oracle Cloud Infrastructure Compute Classic.

Prerequisites

Ensure that you complete the following tasks and noted the required information before creating a VPN connection.

* Create an IP network or use an existing IP network. See Creating an IP Network in Using Oracle Cloud Infrastructure Compute Classic. Make a note of the name of this IP network.

* Configure a supported third-party VPN device at your data center and make a note of the public IP address of this gateway. The third-party VPN device must be ready for the VPN connection to be established. For information about certified third-party VPN device configurations, see About Setting Up VPN in Using Oracle Cloud Infrastructure Compute Classic.

* Ensure that you have the pre-shared key (PSK) that you want to use for this VPN connection.

* Create a vNICset. When you create instances, specify this vNICset for each vNIC that is added to an IP network that will be reachable over the VPN connection. See Creating a vNICset in Using Oracle Cloud Infrastructure Compute Classic.

While your VPN connection is being configured, its status is PENDING. It can take around 20 to 30 minutes for your VPN gateway to be created. When the cloud VPN gateway is created, the localGatewayAddress parameter provides its public IP address. To monitor the status of your VPN connection and retrieve the public IP address of the cloud VPN gateway, send the GET /vpnendpoint/v2/{name} request. You'll have to update the third-party VPN device in your data center with the public IP address of your cloud VPN gateway. If the third-party device in your data center is configured and ready, the VPN connection is established. The value of the tunnelStatus parameter changes to UP when the connection is established.

Required Role: To complete this task, you must have the Compute_Operations role. If this role isn't assigned to you or you're not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Request

Supported Media Types
Header Parameters
Body ()
The request body contains details of the VPN endpoint v2 that you want to create.
Root Schema : VPNConnection-post-request
Type: object
The request body contains details of the VPN endpoint v2 that you want to create.
Show Source
  • Specify the IP address of the VPN gateway in your data center through which you want to connect to the Oracle Cloud VPN gateway. Your gateway device must support policy-based VPN and IKE (Internet Key Exchange) configuration using pre-shared keys.
  • Description of the object.
  • The Internet Key Exchange (IKE) ID. If you don't specify a value, the default value is the public IP address of the cloud gateway. You can specify either an alternative IP address, or any text string that you want to use as the IKE ID. If you specify a text string, you must prefix the string with @. For example, if you want to specify the text IKEID-for-VPN1, specify @IKEID-for-VPN1 as the value in request body. If you specify an IP address, don't prefix it with @. The IKE ID is case sensitive and can contain a maximum of 255 ASCII alphanumeric characters including special characters, period (.), hyphen (-), and underscore (_). The IKE ID can't contain embedded space characters.

    Note: If you specify the IKE ID, ensure that you specify the Peer ID type as Domain Name on the third-party device in your data center. Other Peer ID types, such as email address, firewall identifier or key identifier, aren't supported.

  • Specify the three-part name of the IP network (/Compute-identity_domain/user/object) in which you want to create the cloud gateway. When you send a request to create a VPN connection, a cloud gateway is created and this is assigned an available IP address from the IP network that you specify. So, the cloud gateway is directly connected to the IP network that you specify.

    You can only specify a single IP network. All other IP networks which are connected to the specified IP network through an IP network exchange are discovered and added automatically to the VPN connection.

  • The three-part name (/Compute-identity_domain/user/object) of the VPN connection. Object names can contain only alphanumeric, underscore (_), dash (-), and period (.) characters. Object names are case-sensitive.
  • This is enabled (set to true) by default. If your third-party device supports Perfect Forward Secrecy (PFS), set this parameter to true to require PFS.
  • phase1Settings
    Additional Properties Allowed: additionalProperties
    Settings for Phase 1 of protocol (IKE). See below for object members.

    phase1Settings.encryption: Encryption options for IKE. Possible values are aes128, aes192, aes256. Default is combination of all possible values.

    phase1Settings.hash: Authentication options for IKE. Possible values are sha1, sha2_256, md5. Default is combination of all possible values.

    phase1Settings.dhGroup: Diffie-Hellman group for both IKE and ESP. It is applicable for ESP only if PFS is enabled. Possible values are group2, group5, group14, group22, group23, group24. Default is combination of all possible values

  • phase2Settings
    Additional Properties Allowed: additionalProperties
    Settings for Phase 2 of protocol (IPSEC).See below for object members.

    phase2Settings.encryption: Encryption options for IKE. Possible values are aes128, aes192, aes256. Default is combination of all possible values.

    phase2Settings.hash: Authentication options for IKE. Possible values are sha1, sha2_256, md5. Default is combination of all possible values.

  • Pre-shared VPN key. Enter the pre-shared key. This secret key is shared between your network gateway and the Oracle Cloud network for authentication. Specify the full path and name of the text file that contains the pre-shared key. Ensure that the permission level of the text file is set to 400. The pre-shared VPN key must not exceed 256 characters.
  • reachable_routes
    Specify a list of customer subnets (CIDR prefixes) that are reachable through this VPN tunnel. You can specify a maximum of 20 IP subnet addresses. Specify IPv4 addresses in dot-decimal notation with or without mask.
  • tags
    Tags associated with the object.
  • vnicSets
    Comma-separated list of vNIC sets. Traffic is allowed to and from these vNIC sets to the cloud gateway's vNIC set.
Nested Schema : phase1Settings
Type: object
Additional Properties Allowed
Show Source
Settings for Phase 1 of protocol (IKE). See below for object members.

phase1Settings.encryption: Encryption options for IKE. Possible values are aes128, aes192, aes256. Default is combination of all possible values.

phase1Settings.hash: Authentication options for IKE. Possible values are sha1, sha2_256, md5. Default is combination of all possible values.

phase1Settings.dhGroup: Diffie-Hellman group for both IKE and ESP. It is applicable for ESP only if PFS is enabled. Possible values are group2, group5, group14, group22, group23, group24. Default is combination of all possible values

Nested Schema : phase2Settings
Type: object
Additional Properties Allowed
Show Source
Settings for Phase 2 of protocol (IPSEC).See below for object members.

phase2Settings.encryption: Encryption options for IKE. Possible values are aes128, aes192, aes256. Default is combination of all possible values.

phase2Settings.hash: Authentication options for IKE. Possible values are sha1, sha2_256, md5. Default is combination of all possible values.

Nested Schema : reachable_routes
Type: array
Specify a list of customer subnets (CIDR prefixes) that are reachable through this VPN tunnel. You can specify a maximum of 20 IP subnet addresses. Specify IPv4 addresses in dot-decimal notation with or without mask.
Show Source
Nested Schema : tags
Type: array
Tags associated with the object.
Show Source
Nested Schema : vnicSets
Type: array
Comma-separated list of vNIC sets. Traffic is allowed to and from these vNIC sets to the cloud gateway's vNIC set.
Show Source
Nested Schema : additionalProperties
Type: object
Nested Schema : additionalProperties
Type: object

Response

Supported Media Types

202 Response

Created. See Status Codes for information about other possible HTTP status codes.
Headers
Body ()
Root Schema : VPNConnection-response
Type: object
Show Source
Nested Schema : phase1Settings
Type: object
Additional Properties Allowed
Show Source
Settings for Phase 1 of protocol (IKE).
Nested Schema : phase2Settings
Type: object
Additional Properties Allowed
Show Source
Settings for Phase 2 of protocol (IPSEC).
Nested Schema : reachable_routes
Type: array
List of subnets (CIDR prefixes) that are reachable through this VPN tunnel.
Show Source
Nested Schema : tags
Type: array
Tags associated with the object.
Show Source
Nested Schema : vnicSets
Type: array
Comma-separated list of vNIC sets. Traffic is allowed to and from these vNIC sets to the cloud gateway's vNIC set.
Show Source
Nested Schema : additionalProperties
Type: object
Nested Schema : additionalProperties
Type: object

Examples

cURL Command

The following example shows how to create a VPN endpoint by submitting a POST request on the REST resource using cURL. For more information about cURL, see Use cURL.

Enter the command on a single line. Line breaks are used in this example for readability.

curl -i -X POST
     -H "Cookie: $COMPUTE_COOKIE"
     -H "Content-Type: application/oracle-compute-v3+json"
     -H "Accept: application/oracle-compute-v3+json"
     -d "@vpnconnection.json"
        https://api-z999.compute.us0.oraclecloud.com/vpnendpoint/v2/
  • COMPUTE_COOKIE is the name of the variable in which you stored the authentication cookie earlier. For information about retrieving the authentication cookie and storing it in a variable, see Authentication.

  • api-z999.compute.us0.oraclecloud.com is an example REST endpoint URL. Change this value to the REST endpoint URL of your Compute Classic site. For information about finding out REST endpoint URL for your site, see Send Requests.

  • After creating the JSON file, you should validate it. You can do this by using a third-party tool, such as JSONLint, or any other validation tool of your choice. If your JSON format isn???t valid, then an error message is displayed when you pass the request body.

Example of Request Body

The following shows an example of the request body content in the vpnconnection.json file with values for optional parameters, such as phase1Settings and phase2Settings.

{
  "psk": "*****",
  "name": "/Compute-acme/jack.jones@example.com/vpnconnection2",
  "customer_vpn_gateway": "172.16.254.1",
  "ipNetwork": "/Compute-acme/jack.jones@example.com/ipnet2",
  "reachable_routes": [
    "10.1.2.0/24",
    "10.1.3.0/24",
    "10.1.4.0/24"
  ],
  "vnicSets": [
    "/Compute-acme/jack.jones@example.com/vnicset2"
  ],
  "phase1Settings": {
    "encryption": "aes128",
    "hash": "sha1",
    "dhGroup": "group2"
  },
  "phase2Settings": {
    "encryption": "aes256",
    "hash": "md5"
  }
}

Example of Response Body

The following example shows the response body in JSON format.

{
  "uri": "https://api-z999.compute.us0.oraclecloud.com:443/network/v1/vpnendpoint/Compute-acme/jack.jones@example.com/vpnconnection2",
  "tunnelStatus": "PENDING",
  "psk": "*****",
  "name": "/Compute-acme/jack.jones@example.com/vpnconnection2",
  "reachable_routes": [
    "10.1.2.0/24",
    "10.1.3.0/24",
    "10.1.4.0/24"
  ],
  "pfsFlag": true,
  "vnicSets": [
    "/Compute-acme/jack.jones@example.com/vnicset2"
  ],
  "customer_vpn_gateway": "172.16.254.1",
  "ipNetwork": "/Compute-acme/jack.jones@example.com/ipnet2",
  "phase1Settings": {
    "encryption": "aes128",
    "hash": "sha1",
    "dhGroup": "group2"
  },
  "phase2Settings": {
    "encryption": "aes256",
    "hash": "md5"
  }
}