1. Using Oracle Cloud Infrastructure Compute Classic
  2. Connecting to Instances in a Multitenant Site Using VPN
  3. Managing VPN

Managing VPN

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

Topics

Note:

You must have the Compute_Operations role to access the pages under the VPN tab. If you don’t have this role, you won’t be able to view these pages.

Listing VPN Gateways

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After you’ve created one or more VPN gateways, you can see information about all your VPN gateways by using the web console.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click VPN Gateways.
The VPN Gateways page displays a list of all your Corente Services Gateways, along with information about each gateway such as the interface type and status of the gateway.

Note:

This page also displays Corente Services Gateways deployed on hosts outside of Compute Classic.

Each gateway can have any of the following statuses:

Status Description
Active The Corente Services Gateway instance is running.
Inactive

The Corente Services Gateway instance has been shut down or is being restarted.

Action: If the instance is restarting, wait for it to return to the running state. If the instance has been shut down, start it to return to the Active state.

Download

The configuration file for the Corente Services Gateway is available to download, but hasn’t been downloaded to the gateway instance.

Action: Check that the required security rules or ACLs are in place and enabled, to allow the gateway instance to download the configuration file.

Downloaded

The configuration file for the Corente Services Gateway has been downloaded but not activated. This status usually indicates that the Corente Services Gateway is not yet installed or started.

Action: Check that the gateway instance is running or restart the instance if required. Check that the required security rules or ACLs are in place and enabled.

Upgrade

A software upgrade is available for the Corente Services Gateway.

Action: Schedule a maintenance time for the Corente Services Gateway in App Net Manager. The upgrade will occur automatically during the scheduled maintenance time. See the App Net Manager online help for more information.

Disconnected

The Corente Services Gateway has lost connectivity, without being powered off safely.

Action: Check your network configuration to see if outbound connectivity has been blocked by firewall rules.

Denied

The Corente Services Gateway connection has been denied.

Action: Contact Oracle Support.

New

A new Corente Services Gateway instance has been created using App Net Manager, but the configuration of this new gateway instance hasn’t been completed.

Action: Complete and save the configuration of the new gateway using App Net Manager. The new configuration will then be downloaded.

Unknown

The Corente Services Gateway is in an unknown state.

Action: Check the status again after some time, or contact Oracle Support.

Modifying the Reachable Subnets for a VPN Gateway

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

You must specify the list of reachable subnets while creating a VPN gateway. If required, you can modify this list of subnets at any time after creating a VPN gateway.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click VPN Gateways.
  4. Go to the VPN gateway for which you want to modify the set of subnets. From the menu icon menu, select Update.
  5. Modify the list of subnets as required, and then click Update. If you selected the dual-homed interface type, you can also modify the list of IP networks that should be reachable using this gateway.

    Note:

    You can’t modify or delete the subnet of the IP network to which your gateway belongs.

    The list of subnets or IP networks reachable by the VPN gateway is updated. If you added IP networks, ensure that the IP networks that you specify here, and the IP network that the Corente Services Gateway is added to, all belong to the same IP network exchange. See Adding an IP Network to an IP Network Exchange.

    You must also add a route on the gateway to the subnet of each additional IP network. You can’t do this using the web console. Use App Net Manager to add this route. See Adding IP Networks to an Existing VPN Connection in Setting Up VPN from a Third-Party Gateway to an IP Network in Oracle Cloud.

    Note:

    You must also add the subnets that you specify here to the list of destination IP addresses that you specify in your third-party device.

Workflow for Adding IP Networks to an Existing VPN Connection

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

When you set up a VPN connection using a dual-homed Corente Services Gateway, all instances that have an interface on the same IP network as the gateway instance are reachable over the VPN connection. You can expand the network of reachable instances by creating other IP networks and adding all the IP networks to an IP network exchange.

Prerequisites

  • You’ve configured a supported third-party device at your data center.

  • You’ve created an IP network in your Compute Classic account.

  • You’ve created a dual-homed Corente Services Gateway instance in Compute Classic.

  • You’ve registered your third-party device.

  • You’ve created a connection between the registered third-party VPN device in your data center and the dual-homed Corente Services Gateway in Compute Classic.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

Here’s an overview of the process for adding IP networks to an existing VPN connection.

  1. Create another IP network, if you haven’t created it yet. See Creating an IP Network.

  2. Create an IP network exchange, if you haven’t created it yet. See Creating an IP Network Exchange.

  3. Update both IP networks to add them to the IP network exchange. See Updating an IP Network.

  4. In App Net Manager, update user groups for your Corente Services Gateway to add the new IP network. See Adding IP Networks to an Existing VPN Connection in Setting Up VPN from a Third-Party Gateway to an IP Network in Oracle Cloud.

  5. In App Net Manager, add a route to the subnet of the new IP network. See Adding IP Networks to an Existing VPN Connection in Setting Up VPN from a Third-Party Gateway to an IP Network in Oracle Cloud.

Note:

You must also add the subnets that you specify here to the list of destination IP addresses that you specify in your third-party device.

Deleting a VPN Gateway

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

If you no longer require a VPN connection, you can stop the connection and delete the VPN gateway instance. Each VPN gateway instance is managed by a master orchestration that can be used to start or stop several nested orchestrations. To delete a VPN gateway instance, go to the VPN Gateways page in the web console and stop the master orchestration.

Prerequisites

  • If you want to delete a dual-homed VPN gateway instance, the VPN gateway must not be connected to any device. If the gateway is used in a VPN connection, stop the connection first. See Stopping, Restarting, and Deleting a VPN Connection.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click VPN Gateways.
  4. Go to the Corente Services Gateway instance that you want to delete.
    • If you want to delete only the gateway instance, from the menu icon menu, select Stop. The orchestration that controls the gateway instance is stopped. This deletes the Corente Services Gateway instance.
    • If you want to delete the gateway instance as well as other associated resources, from the menu icon menu, select Stop All. The master orchestration that controls the gateway instance and its associated resources is stopped. This deletes the gateway instance as well as resources created by the nested orchestrations, such as the bootable storage volume and networking objects.

    Note:

    Resources created outside the master orchestration, such as the public IP address reservation or IP networks, aren’t deleted when you stop the master orchestration for the gateway instance. If you no longer need those resources, remember to delete them after you’ve stopped the master orchestration.

    After you’ve deleted a gateway instance, it continues to be listed on the VPN Gateways page, with the status Stopped. At any time, you can restart the master orchestration to re-create the cloud gateway instance and its associated resources.

  5. If you want to delete the orchestrations associated with your gateway instance, go to the gateway instance and from the menu icon menu, select Delete.
    The master orchestration and the associated orchestrations for the instance, storage volumes, and security rules are deleted. The VPN gateway is no longer listed on the VPN Gateways page.

Listing Third-Party VPN Devices

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After you’ve added third-party devices, you can see information about all your third-party devices by using the web console.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Customer Devices.
The Customer Devices page displays a list of all the third-party devices that you’ve added, along with information about each device such as its model and type and its IP address.

Updating a Third-Party Device

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After you’ve added a third-party device, if required, you can modify the information associated with a third-party devices by using the web console.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Customer Devices.
  4. Go to the device that you want to update. From the menu icon menu, select Update.
  5. In the Update VPN Device dialog box, modify the information as required. Note that you can’t change the device name or type. If you need to modify that information, add a new device. You can modify the following device information:
    • Model: The model of your third-party VPN device.
    • WAN IP Address: The IP address of the WAN interface of your third-party VPN device.
    • Visible IP Address: The public IP address of your third-party VPN device that the Corente Services Gateway should connect to. If you use network address translation (NAT), then this IP address would be different from the WAN IP address. Otherwise, the visible IP address would be the same as the WAN IP Address.
    • Subnets: A list of IP addresses or subnets in your data center that should be reachable by this third-party device.
    • PFS: Perfect Forward Secrecy.
    • DPD: Dead Peer Detection.
  6. Click Update. The device information is updated.

Deleting a Third-Party Device

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After you’ve added a third-party device, if you no longer want to use the device in a VPN connection, you can delete the device information by using the web console.

Prerequisites

  • The device that you want to delete must not be used in a connection with a dual-homed VPN gateway. If the device is used in a VPN connection with a dual-homed VPN gateway, stop the connection first. See Stopping, Restarting, and Deleting a VPN Connection.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Customer Devices.
  4. Go to the device that you want to delete. From the menu icon menu, select Delete.
    The information about the selected device is deleted and the device is no longer displayed on the Customer Devices page.

Listing VPN Connections

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After you’ve created a connection between your VPN gateway and your third-party device, you can see a list of connections by using the web console.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Connections.

When a dual-homed gateway is used in a connection — that is, the gateway instance has one virtual network interface on an IP network and one interface on the shared network — then an IP route is created with the subnet of the third-party device as the destination. This IP route uses the vNIC of the cloud gateway as the next hop vNICset, to route traffic from the IP network to the third-party VPN device. An orchestration is created to manage the required vNICset and IP route and the IP Route column displays the status of the route. When a single-homed gateway is used, this column is blank.

The Connections page also shows the status of each of your VPN connections. If a VPN connection has any status other than Up, check the status again after some time. If the status doesn’t change to Up, then contact Oracle Support.

Updating a VPN Connection

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After you’ve created a connection between a VPN gateway and a third-party device, if required, you can modify the IKE ID or the shared secret by updating the VPN connection.

The IKE ID and shared secret that you enter here must match the corresponding entries on the third-party device used in this connection. If you make any changes to these fields, ensure that the corresponding changes are made on the connected third-party device.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Connections.
  4. Go to the connection that you want to modify. From the menu icon menu, select Update.
  5. Update the IKE ID or modify the shared secret as required, and then click Update.
    The IKE ID or shared secret is updated.

    Note:

    The IKE ID and shared secret are used to identify and authenticate the Corente Services Gateway on the third-party device. If you modify these fields, ensure that the information you enter here matches the corresponding entries on the third-party device used in this connection.

Stopping, Restarting, and Deleting a VPN Connection

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After you’ve created a connection between a VPN gateway and a third-party device, if you no longer want to use this VPN connection, you can stop the connection. You can then restart the VPN connection later, or delete it.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Connections.
  4. If your VPN connection uses a dual-homed Corente Services Gateway, then you can stop and restart the connection by stopping and starting the orchestration that controls the vNICset and route.
    • To stop a connection that uses a dual-homed Corente Services Gateway instance, you can delete the route between the IP network and the destination subnet. This effectively prevents traffic from the IP network from accessing the VPN connection. To stop the route orchestration, go to the connection that you want to stop. From the menu icon menu, select Stop. The route orchestration is stopped.
    • To restart a VPN connection that uses a dual-homed Corente Services Gateway instance, you can restart the route orchestration. Go to the connection that you want to restart. From the menu icon menu, select Start. The route orchestration is started, and traffic from the IP network can once again access the VPN connection.
  5. To delete a VPN connection, go to the connection that you want to delete. From the menu icon menu, select Delete.
    This ends the partnership between the specified VPN gateway and the third-party device and deletes the route orchestration. The VPN connection is no longer listed on the Connections page.

After stopping or deleting a VPN connection, you can also delete the gateway instance or delete the information about the third-party device used in this connection. See Deleting a VPN Gateway or Deleting a Third-Party Device.