Configuring Your Oracle Cloud Infrastructure Networking Classic – VPN for Dedicated Compute Classic Gateway

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After the Oracle Cloud Infrastructure Networking Classic – VPN for Dedicated Compute Classic service is provisioned, you must configure your VPN gateway to connect to the Oracle Cloud Infrastructure VPN gateway.
Do the following:
  1. Configure Internet Key Exchange (IKE)
  2. Configure IPSec
  3. Configure a tunnel interface
  4. Configure a static route
For a sample configuration of a VPN gateway, see Example Configuration of a VPN Gateway.

Example Configuration of a VPN Gateway

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

This example provides the a sample configuration for your VPN gateway. You must perform this configuration for each VPN tunnel that you create.

This example is specific to Junos SRX series VPN devices. However, the IKE & IPSec parameters should generally be applicable to any device complying to IPSec VPN. As long as your VPN device is compatible with the IPSec VPN standards, and your VPN device is set up according to IKE and IPSec parameters specified in this example, you should be able to configure your VPN connection.

#
# VPN identifier in the e.g. below is tagged as, "vpn-dcz-site-1", to represent vpn connection to 
# Oracle "dcz" from a customer site "site-1". Customers can create VPN connections from other sites as well. Each zone 
# supports up to five different VPN tunnels.
# VPN Connection ID : vpn-dcz-site-1
#
#
# --------------------------------------------------------------------------------
# IPSec Tunnel #1
# --------------------------------------------------------------------------------
# #1: Internet Key Exchange (IKE) Configuration
#
# A proposal is established for the supported IKE encryption, 
# authentication, Diffie-Hellman, and lifetime parameters.
#
set security ike proposal pre-g2-aes128-sha authentication-method pre-shared-keys
set security ike proposal pre-g2-aes128-sha dh-group group2 
set security ike proposal pre-g2-aes128-sha authentication-algorithm sha1
set security ike proposal pre-g2-aes128-sha encryption-algorithm aes-128-cbc
set security ike proposal pre-g2-aes128-sha lifetime-seconds 86400


# An IKE policy is established to associate a Pre Shared Key with the  
# defined proposal.Customer can have different sites where they are connecting from.
# Replace the the ike policy names appropriately for the site in the statements below.
# "dcz" below refers to "Dedicated Compute Zone".
#
set security ike policy dcz-site-1-ike-policy mode main 
set security ike policy dcz-site-1-ike-policy proposals pre-g2-aes128-sha 
set security ike policy dcz-site1-ike-policy pre-shared-key ascii-text "Use_pre_shared_key_received_from_Oracle"

# The IKE gateway is defined to be the Virtual Private Gateway. The gateway 
# configuration associates a local interface, remote IP address, and
# IKE policy.
#
# This example shows the outside of the tunnel as interface ge-0/0/0.0.
# This should be set to the interface that IP address 192.168.111.3 is
# associated with.
# This address is configured with the setup for your Customer Gateway.
#
# If the address changes, the Customer Gateway and VPN Connection must be recreated.
#
set security ike gateway gw-vpn-site-1 ike-policy dcz-site-1-ike-policy
set security ike gateway gw-vpn-site-1 external-interface ge-0/0/0.0
set security ike gateway gw-vpn-site-1 address 192.168.111.3

# Troubleshooting IKE connectivity can be aided by enabling IKE tracing.
# The configuration below will cause the router to log IKE messages to
# the 'kmd' log. Run 'show messages kmd' to retrieve these logs.
# set security ike traceoptions file kmd
# set security ike traceoptions file size 1024768
# set security ike traceoptions file files 10
# set security ike traceoptions flag all

# #2: IPSec Configuration
#
# The IPSec proposal defines the protocol, authentication, encryption, and
# lifetime parameters for our IPSec security association.
#
set security ipsec proposal ipsec-phase2-prposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc

# The IPSec policy incorporates the Diffie-Hellman group and the IPSec
# proposal.
#
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal

# A security association is defined here. The IPSec Policy and IKE gateways
# are associated with a tunnel interface (st0.0).
# The tunnel interface ID is assumed; if other tunnels are defined on
# your router, you will need to specify a unique interface name 
# (for example, st0.10).
#
set security ipsec vpn vpn-dcz-site-1 bind-interface st0.0
set security ipsec vpn vpn-dcz-site-1 ike gateway gw-vpn-site-1
set security ipsec vpn vpn-dcz-site-1 ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn vpn-dcz-site-1 establish-tunnels-immediately


# #3: Tunnel Interface Configuration
#

# The tunnel interface is configured with the internal IP address &
# recommended that IP address in the same subnet as the remote end IP address.
# This IP will be conveyed to the customer.
set interfaces st0.0 family inet
set interfaces st0.0 family inet mtu 1436 -- (Actual value needs to investigated)
set security zones security-zone trust interfaces st0.0

# The security zone protecting external interfaces of the router must be 
# configured to allow IKE traffic inbound.
#
set security zones security-zone untrust host-inbound-traffic system-services ike


# This option causes the router to reduce the Maximum Segment Size of
# TCP packets to prevent packet fragmentation.
#
set security flow tcp-mss ipsec-vpn mss 1350

# --------------------------------------------------------------------------------
# #4: Static Route Configuration
#

# Your Customer Gateway needs to set a static route for the prefix corresponding to your VPC on the tunnel.
# An example for a VPC with the prefix 10.0.0.0/16 is provided below
# set routing-options static route 10.0.0.0/16 next-hop st0.0
#