1. Using Oracle Cloud Infrastructure Compute Classic
  2. Set Up VPN Connection to Oracle Cloud Infrastructure

17 Set Up VPN Connection to Oracle Cloud Infrastructure

Use IPSec VPN to set up a connection between the Compute Classic environment and the Oracle Cloud Infrastructure.

Topics

Set Up VPNaaS Connection between an IP Network and Oracle Cloud Infrastructure

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

Use VPN as a Service (VPNaaS) to set up a secure, private connection between an IP network in Compute Classic and a subnet in the virtual cloud network (VCN) in Oracle Cloud Infrastructure.

About Setting Up VPN Connection between Compute Classic and Oracle Cloud Infrastructure

Use VPN as a Service (VPNaaS) to set up a VPN connection between an IP network in your Compute Classic site and a single subnet in the VCN in your Oracle Cloud Infrastructure site. This provides a secure communication channel between your Compute Classic site and your Oracle Cloud Infrastructure site.

Workflow for Setting Up a VPNaaS Connection to Oracle Cloud Infrastructure

  1. Create an IP network in Compute Classic site or use an existing IP network. See Creating an IP Network. Note down the name of the IP network as you’ll have to provide this information while creating the VPNaaS connection.

  2. Create a vNICset. When you create instances, specify this vNICset for each vNIC that is added to an IP network that will be reachable over the VPN connection. See Creating a vNICset. Note down the name of the vNICset as you’ll have to provide this information while creating the VPNaaS connection.

  3. Create a VPN connection using VPNaaS in the Compute Classic site. See Create a VPN Connection in Compute Classic.

  4. Create the required networking components in Oracle Cloud Infrastructure to set up IPSec VPN. See Setting Up an IPSec VPN in Oracle Cloud Infrastructure documentation.

  5. Update the VPN connection that you have created in the Compute Classic site with the pre-shared key and IP address of the IPSec VPN tunnel that you have created in Oracle Cloud Infrastructure. See Update the VPNaaS Connection in Compute Classic.

  6. Validate connectivity between your hosts in the Compute Classic site and Oracle Cloud Infrastructure.

    Test the connection before you start using it. Depending on how you've set up your IP network's security rules and security lists in VCN, you should be able to launch an instance in your VCN and access it from an instance in the IP network. Or you should be able to connect from the VCN instance to an instance in the IP network. If you can, your connection is ready to use.

This sets up a VPN connection between a single IP network in your Compute Classic site and a single subnet in the VCN in your Oracle Cloud Infrastructure site. If you want to establish a VPN connection between another IP network and another subnet in Oracle Cloud Infrastructure VCN, you’ll have to create another VPNaaS connection.

Create a VPN Connection in Compute Classic

Create a VPN connection using VPNaaS in the Compute Classic site.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand VPNaaS, and then click VPN Connections.
  4. Click Create VPN Connection.
  5. Select or enter the required information:
    • Name: Enter a name for the VPN connection.
    • IP Network: Select the IP network that you want to access over this VPN connection. This is the IP network that you can access from Oracle Cloud Infrastructure when the VPN connection is provisioned.
    • Connected IP Networks: The information displayed in this field does not apply to this procedure. You can only access a single IP network in the Compute Classic site from Oracle Cloud Infrastructure over the VPN connection.
    • vNICsets: Select the vNICsets that contain the vNICs that you want to access over this VPN connection. A vNIC must belong to one of the specified vNICsets and it must be part of the connected IP network, to be reachable over this VPN connection.
    • Customer Gateway: Enter a temporary IP address in this field. You’ll replace this value later with the IP address of the IPSec VPN tunnel that you create in Oracle Cloud Infrastructure.
    • Customer Reachable Routes: Enter (in CIDR format) a single Oracle Cloud Infrastructure VCN subnet that should be reachable using this VPN connection. You can retrieve this information from the Oracle Cloud Infrastructure VCN details page. If you have not yet created a VCN subnet, enter a temporary value and then replace this value after creating a subnet in Oracle Cloud Infrastructure VCN.
    • Pre-shared Key: Enter a temporary PSK. You’ll replace this value later with the PSK of the IPSec VPN tunnel that you create in Oracle Cloud Infrastructure.
    • Specify Phase 1 IKE Proposal: Select this option to specify Phase 1 IKE v1 options, if required. You can specify the following values:

      • IKE Encryption: Select AES256.

      • IKE Hash: Select SHA2 256.

      • IKE DH group: Select 5.

      • IKE Lifetime: Specify 28800.

    • Specify Phase 2 ESP Proposal: Select this option to specify Phase 2 Encapsulating Security Payload (ESP) options, if required. You can specify the following values:

      • ESP Encryption: Select AES256 as the ESP encryption algorithm.

      • ESP Hash: Select SHA1 as the ESP hash algorithm.

      • IPSEC Lifetime: Specify 1800.

    • Require Perfect Forward Secrecy: This option is selected by default. Retain this setting to require PFS.
  6. Click Create.
    The VPN connection is listed on the VPN Connections page. You can monitor the provisioning status of your VPN connection by looking at the value of Life Cycle Status on the VPN Connections page. While your VPN connection is being configured, its Life Cycle Status is Provisioning. When your VPN connection is fully provisioned and configured, its Life Cycle Status changes to Ready. When your cloud VPN gateway has been created, you will see the public IP address of the gateway.
  7. Note down the public IP address of the gateway as you’ll have to provide this later.

After noting down the public IP address of the VPN gateway, create the required networking components in Oracle Cloud Infrastructure. See Setting Up an IPSec VPN in Oracle Cloud Infrastructure documentation.

Keep the following points in mind while creating the required networking components in Oracle Cloud Infrastructure:

  • After creating a dynamic routing gateway (DRG) and attaching the DRG to VCN, create a route table and route rule for the DRG. The routes should include a route to your IP network in the Compute Classic site. This is the IP network in the Compute Classic site that points to the DRG.

  • While creating the Customer-Premises Equipment (CPE) object, in the IP Address field specify the public IP address of the VPN gateway that you have created in the Compute Classic site.

  • While creating the IPSec connection from the DRG to the CPE object, in the Static Route CIDR field specify the CIDR block of the IP network in the Compute Classic site. You can specify the CIDR block of only one IP network.

Update the VPNaaS Connection in Compute Classic

After setting up the networking components in Oracle Cloud Infrastructure, note down the public IP address and the pre-shared key of the IPSec VPN tunnel. Update the VPNaaS connection in your Compute Classic site to provide the correct IP address and pre-shared key that you have retrieved from the Oracle Cloud Infrastructure environment.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand VPNaaS, and then click VPN Connections.
  4. Go to the VPN connection that you want to update. From the menu icon menu, select Update.
  5. Update the information as required:
    • Customer Gateway: Enter the public IP address of the IPSec VPN tunnel in the Oracle Cloud Infrastructure site that you want to connect to.
    • Customer Reachable Routes: Enter (in CIDR format) a single VCN subnet in Oracle Cloud Infrastructure that should be reachable using this VPN connection. You can retrieve this information from the Oracle Cloud Infrastructure VCN details page.
    • Pre-shared Key: Enter the pre-shared key (PSK) that which was used while setting up the IPSec VPN tunnel in the Oracle Cloud Infrastructure site. The pre-shared key (PSK), is used while setting up the VPN connection to establish the authenticity of the gateway that is requesting the connection. The PSK must contain only alphanumeric characters.
  6. Click Update.
    When the update operation is in progress, the Life Cycle Status of the VPN connection changes to Updating. After the update is complete and when the VPN connection is fully provisioned and configured, the Life Cycle Status changes to Ready.

When the VPN connection in the Compute Classic site is updated and provisioned, the IPSec VPN tunnel becomes available on Oracle Cloud Infrastructure. This might take a few minutes.

Validate connectivity between your hosts in the Compute Classic site and Oracle Cloud Infrastructure. Depending on how you've set up your IP network's security rules and VCN security lists, you should be able to launch an instance in your VCN and access it from an instance in the IP network. Or you should be able to connect from the VCN instance to an instance in the IP network. If you can, your connection is ready to use.

Set Up VPN Connection between Shared Network and Oracle Cloud Infrastructure

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

Using an IPSec VPN, you can set up a secure, private connection between the shared network in Compute Classic and the virtual cloud network (VCN) in Oracle Cloud Infrastructure.

Workflow for Setting Up VPN Connection between the Shared Network and the Oracle Cloud Infrastructure

  1. Complete the prerequisites. See Before You Begin.

  2. Create a Corente Services Gateway instance in Compute Classic. See Create a Cloud Gateway.

  3. Add information about your VPN device in Oracle Cloud Infrastructure. See Register the Third-Party VPN Device.

  4. Create a connection between your Corente Services Gateway and the Oracle Cloud Infrastructure DRG. See Connect the Cloud Gateway with the Oracle Cloud Infrastructure VPN.

  5. On each instance that you want to access, configure a GRE tunnel to the gateway. See Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud in Setting Up VPN From a Third-Party Gateway On-Premises to the Shared Network.

  6. Update the timeout for the VPN connection. See Update the Timeout.

  7. Test the connection after the status of the VPN connection changes to Up. Depending on how you've set up your IP network's security rules and VCN security lists, you should be able to launch an instance in your VCN and access it from an instance in the IP network. Or you should be able to connect from the VCN instance to an instance in the IP network. If you can, your connection is ready to use.

Before You Begin

Before you begin creating an IPSec VPN connection to Oracle Cloud Infrastructure, complete the following tasks.

  • Create an IP reservation in the shared network. While reserving the IP address, ensure that you don't attach this IP address to any instance. See Reserving a Public IP Address.

    Note down the value of the public IP address that you have reserved as you will have to provide this information while creating the VPN gateway.

  • Create networking components in Oracle Cloud Infrastructure. See Setting Up an IPSec VPN in Oracle Cloud Infrastructure documentation.

    Keep the following points in mind while creating the required networking components in Oracle Cloud Infrastructure:

    • After creating a dynamic routing gateway (DRG) and attaching the DRG to VCN, create a route table and route rule for the DRG. The routes should include a route to your shared network in the Compute Classic site.
    • While creating the Customer-Premises Equipment (CPE) object, in the IP Address field specify the public IP address of the VPN gateway that you have created in the Compute Classic site. While creating the cloud gateway in Compute Classic site, you specify an IP reservation to assign a public IP address to the VPN gateway. Specify this IP address.
    • While creating the IPSec connection from the DRG to the CPE object, in the Static Route CIDR field enter 172.16.1.0/24. This is the subnet that contains the local address of the GRE tunnel to the Corente Services Gateway instance in the Compute Classic environment.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Create a Cloud Gateway

If you want to establish a VPN connection to your Compute Classic instances, start by creating a Corente Services Gateway instance.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click VPN Gateways.
  4. Click Create VPN Gateway.
  5. Select or enter the required information:
    • Name: Enter a name for the Corente Services Gateway instance.
    • IP Reservation: Select the IP reservation that you want to use with this instance. This is the public IP address of your VPN gateway.
    • Image: Select the machine image that you want to use to create the instance. You must select the most recent Corente Gateway image, such as corente_gateway_images-9.4.1062.
    • Interface Type: Select Single-homed.
    • Subnets: Enter 172.16.1.0/24. This is the subnet that contains the local address of the GRE tunnel to Corente Services Gateway instance on the Cloud.
  6. Click Create.

A Corente Services Gateway instance is created. The required orchestrations are created and started automatically. For example, if you specified the name of the Corente Gateway instance as CSG1, then the following orchestrations are created:

  • vpn–CSG1–launchplan: This orchestration creates the instance using the specified image, and associates the instance with the shared network.

  • vpn–CSG1–bootvol: This orchestration creates the persistent bootable storage volume.

  • vpn–CSG1–secrules: This orchestration creates the required security list, security applications, and security rules.

  • vpn–CSG1–master: This orchestration specifies relationships between each of the nested orchestrations and starts each orchestration in the appropriate sequence.

While the Corente Services Gateway instance is being created, the instance status displayed in the Instance column on the VPN Gateways page is Starting. When the instance is created, its status changes to Ready.

Note:

You can list the gateway instance and view details on the Instances page, or view the corresponding orchestrations on the Orchestrations page. However, it is recommended that you always use the VPN Gateways page to manage your gateway instances.

Register the Third-Party VPN Device

To establish a VPN connection to your Compute Classic instances, after creating a Corente Services Gateway instance, register a VPN device to provide information about the Dynamic Routing Gateway (DRG) in Oracle Cloud Infrastructure.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Customer Devices.
  4. Click Add VPN Device.
  5. Select or enter the required information:
    • Name: Enter a name for the VPN device used in Oracle Cloud Infrastructure.
    • Type: Select other.
    • WAN IP Address: Enter the IP address of the WAN interface of your Oracle Cloud Infrastructure DRG.
    • Visible IP Address: Enter the IP address of the WAN interface of your Oracle Cloud Infrastructure DRG.
    • Subnets: Enter (in CIDR format) the Oracle Cloud Infrastructure VCN that should be reachable using this VPN connection. You can retrieve this information from the Oracle Cloud Infrastructure VCN details page. If you specify the VCN CIDR, then all the subnets in VCN can communicate with the shared network.
    • PFS: This option is selected by default. Retain this setting to require PFS.
    • DPD: This option is selected by default. If your third-party device supports Dead Peer Detection (DPD), retain this setting to require DPD.
  6. Click Create.
    A record of your DRG in Oracle Cloud Infrastructure is created.
Next, to use this VPN device to establish a VPN connection between Oracle Cloud Infrastructure and your Compute Classic instances, create a VPN connection.

Connect the Cloud Gateway with the Oracle Cloud Infrastructure VPN

After you’ve created a Corente Services Gateway instance and added a third-party device, to establish a VPN connection between your data center and your Compute Classic instances you must connect the cloud gateway with the Oracle Cloud Infrastructure VPN.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Connections.
  4. Click Create VPN Connection.
  5. Select or enter the required information:
    • Gateway: Select the Corente Services Gateway that you want to use.
    • Device: Select the device in Oracle Cloud Infrastructure that you want to use.
    • IKE ID: The Internet Key Exchange (IKE) ID is used in Oracle Cloud Infrastructure to identify the Corente Services Gateway. Specify the public IP address of the Corente Services Gateway that you have created in Compute Classic.
    • Shared Secret: The shared secret, also called the pre-shared key (PSK) on some devices, is used while setting up the VPN connection to establish the authenticity of the Corente Services Gateway that is requesting the VPN connection. You must enter the same shared secret here and in Oracle Cloud Infrastructure. The shared secret must contain only alphanumeric characters.

    The VPN connection is created.

To complete the VPN setup, you must configure GRE tunnels between the Corente Services Gateway instance and each Compute Classic instance that you want to access using VPN. See Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud in Setting Up VPN From a Third-Party Gateway On-Premises to the Shared Network.

Update the Timeout

App Net Manager is a secure web portal that you use to modify and monitor the components of your IPSec VPN network in Compute Classic.

To update the timeout for the VPN connection:
  1. Download App Net Manager from https://www.oracle.com/technetwork/server-storage/corente/downloads/index.html.
  2. Log in to App Net Manager using the Corente credentials that you received in an email when you subscribed to Compute Classic.
  3. In App Net Manager, in the Domains pane, click Locations to expand and show all of your gateways.
  4. Right-click your Oracle Cloud Infrastructure Classic gateway instance, and then select Edit.
  5. In the Edit dialog box, select the Partners tab, and click the Add button.
  6. Select 3rd-Party Device and then select the Oracle Cloud Infrastructure VPN device name that you had configured in the earlier task.
  7. Under Timeouts, enter 28800 seconds as the IKE Lifetime.
  8. Under Timeouts, enter 1800 seconds as the IPSEC Lifetime.
  9. Click OK to close the dialog box.
  10. Click Save at the top of the App Net Manager screen.
After the status of the VPN Connection in Compute Classic is UP or when the IPSec tunnel state changes to Available in Oracle Cloud Infrastructure, test the connection. Depending on how you've set up your IP network's security rules and VCN security lists, you should be able to launch an instance in your VCN and access it from an instance in the IP network. Or you should be able to connect from the VCN instance to an instance in the IP network. If you can, your connection is ready to use.