1. Using Oracle Cloud Infrastructure Compute Classic
  2. Connecting to Instances in a Multitenant Site Using VPN
  3. Setting Up VPN

Setting Up VPN

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

Topics

Note:

You must have the Compute_Operations role to access the pages under the VPN tab. If you don’t have this role, you won’t be able to view these pages.

About Setting Up VPN

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

You can set up VPN access to Compute Classic instances by creating a Corente Services Gateway instance and connecting it with a certified third-party VPN device in your data center.

Considerations for Setting Up a Single-Homed or Dual-Homed VPN Gateway

While setting up a VPN connection to yourCompute Classic instances, consider whether the instances that you want to access will be on IP networks or on the shared network.

  • Using IP networks allows you to define IP subnets in your account and isolate or enable traffic between subnets. By adding instances to IP networks, you can control the IP address assigned to each instance and you can also assign static IP addresses to each instance. See About IP Networks.

    If you want to access instances that are added to IP networks, you can create a dual-homed VPN gateway, which has one interface on the shared network and one interface on an IP network. With this gateway, you can use VPN to access all instances that are on the same IP network as the gateway instance.

    The following figure shows a VPN connection between a third-party VPN device and a dual-homed cloud gateway. This gateway allows VPN access to instances on the same IP network.


    The figure shows a VPN connection with a dual-homed cloud gateway

    Note:

    You can also extend VPN access to instances on other IP networks. However, if you want access to a large number of instances, it is recommended that you avoid setting up numerous IP networks with a /32 subnet. Instead, use a smaller number of IP networks with larger subnets. If you create a very large number of IP networks, a large number of IPSec security associations are required, which could cause performance degradation on some third-party devices. See Workflow for Adding IP Networks to an Existing VPN Connection.

  • If you don’t need to set up IP networks and the instances that you want to access over VPN all have an interface on the shared network, then you can create a single-homed VPN gateway. After you’ve set up the VPN connection, you must configure a Generic Routing Encapsulation (GRE) tunnel from each instance to the gateway.

    The following figure shows a VPN connection between a third-party VPN device and a single-homed cloud gateway. This gateway allows VPN access to instances on the shared network with a GRE tunnel between each instance and the gateway.


    The figure shows a VPN connection with a single-homed cloud gateway

VPN Scenarios Not Supported by the Compute Classic Web Console

You can use the web console to set up a VPN connection between your Corente Services Gateway instance and the third-party device in your data center. However, you can’t use the web console to do the following:

  • Connect a Corente Services Gateway instance in the cloud with a Corente Services Gateway instance in your data center. To do this, see About Setting Up VPN Using Corente Services Gateway in Setting Up VPN from Corente Services Gateway On-Premises to the Shared Network or Solution Overview in Setting Up VPN from a Corente Services Gateway to an IP Network in Oracle Cloud.

  • Configure failover between two Corente Services Gateway instances to provide high availability. To do this, see Configuring Active-Active HA in Setting Up VPN from a Third-Party Gateway to an IP Network in Oracle Cloud.

  • If you want to add an IP network to an existing VPN connection, you can create the IP network and add it to an IP network exchange using the web console. However, you can’t complete the steps to update user groups for your Corente Services Gateway and add a route on the gateway to the subnet of the newly added IP network using the web console. To complete these steps, you must use App Net Manager. See Adding IP Networks to an Existing VPN Connection in Setting Up VPN from a Third-Party Gateway to an IP Network in Oracle Cloud.

Workflow for Setting Up VPN

  1. Configure a supported third-party VPN device at your data center. Device configuration varies depending on the type and model of your device. For supported configurations, see Third-Party VPN Device Configuration.

  2. Create a Corente Services Gateway instance in Compute Classic. See Creating a Cloud Gateway.

  3. Add information about your third-party VPN device. See Registering a Third-Party VPN Device.

  4. Create a connection between your Corente Services Gateway and your third-party device. See Connecting the Cloud Gateway with the Third-Party Device.

  5. If you created a single-homed VPN gateway instance, on each instance that you want to access, configure a GRE tunnel to the gateway. See Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud in Setting Up VPN From a Third-Party Gateway On-Premises to the Shared Network.

Third-Party VPN Device Configuration

You can set up a VPN connection to any certified third-party device that allows interoperability with Corente Services Gateway. Devices must be configured for policy-based VPN.

The following table lists the certified third-party VPN device configurations.

Certified Configurations Devices

  • Encryption AES256; Hash SHA-256

  • DH phase 1 group 14

  • No Perfect Forward Secrecy (PFS); so no Diffie-Hellman (DH) phase 2 group

Cisco 2921

Cisco ISR 4331

Checkpoint 3200

Palo Alto 3020

FortiGate-200D

  • Encryption AES256; Hash SHA-256

  • DH phase 1 group 14; DH phase 2 group 14

Cisco 2921

Cisco ISR 4331

Checkpoint 3200

Palo Alto 3020

FortiGate-200D

  • Encryption AES128; Hash SHA-256

  • DH phase 1 group 14; no PFS

Cisco 2921

Cisco ISR 4331

Checkpoint 3200

Palo Alto 3020

FortiGate-200D

  • Encryption AES192; Hash SHA-1

  • DH phase 1 group 2, DH phase 2 group 2

Cisco ASA5505

  • Encryption AES256; Hash SHA-1

  • DH phase 1 group 5; no PFS

Cisco ISR 4331

Checkpoint 3200

Palo Alto 3020

FortiGate-200D

Other devices may work if they are configured with the certified configurations. Consider the following information while configuring your third-party device for a VPN connection.

  • Configuration Information

    • The Corente Services Gateway uses IPSec and is behind a NAT, so network address translation traversal (NAT-T) is required. Ensure that the third-party device in your data center supports NAT-T. NAT-T requires UDP port 4500 to be open.

    • Devices must support and be configured for policy-based VPN.

    • Authentication: Pre-shared keys

    • Encryption: 3DES, AES-128, AES-192, AES-256

    • Hash: MD5, SHA-1, SHA-2

    • Policy Group: Diffie-Hellman groups supported are 2, 5, 14, 15, 16, 17, 18, 22, 23, 24

    • ISAKMP: IKEv1 only. If IKEv2 is enabled by default, turn it off.

    • Exchange type: Main Mode (The cloud gateway uses main mode in phase one negotiations)

    • IPSec protocol: ESP, tunnel-mode

    • PFS: Enabled

    • It is highly recommended that the third-party device be configured to be responder-only.

    • Ensure the IKE and IPSec timeouts on the Corente Services Gateway and the third-party device are the same.

    • For Phase 1, ensure that the IKE ID on the Corente Services Gateway and the third-party device match. 

  • HA Information

    • When HA is configured, Dead Peer Detection (DPD) must be enabled to detect when a tunnel is down.

    • When HA is configured, asymmetric routing across the tunnels that make up the VPN connection will occur. Ensure that your firewall is configured to support this. If not, traffic will not be routed reliably.

    • Switching tunnels might take 30–40 seconds.

Creating a Cloud Gateway

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

If you want to establish a VPN connection to your Compute Classic instances, start by creating a Corente Services Gateway instance.

Prerequisites

  • You must have already reserved the public IP address that you want to use with your gateway instance. See Reserving a Public IP Address.
  • If you want to add your VPN gateway instance to an IP network, you must create the IP network first. See Creating an IP Network.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click VPN Gateways.
  4. Click Create VPN Gateway.
  5. Select or enter the required information:
    • Name: Enter a name for the Corente Services Gateway instance.
    • IP Reservation: Select the IP reservation that you want to use with this instance. This is the public IP address of your VPN gateway.
    • Image: Select the machine image that you want to use to create the instance. You must select the most recent Corente Gateway image.

    • Interface Type: Select Dual-homed if you want to use this VPN gateway to connect to instances on an IP network. If you haven’t set up IP networks or if you want to use this gateway to connect to instances on the shared network only, then select Single-homed.

      If you select Single-homed, you must configure GRE tunnels between the Corente Services Gateway instance and each Compute Classic instance that you want to access using VPN. See Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud in Setting Up VPN From a Third-Party Gateway On-Premises to the Shared Network.

      If you select Dual-homed, all instances that are on the same IP network as the Corente Services Gateway instance can be accessed using VPN.

    • IP Network: This field is displayed when you select the Dual-homed interface type. Select the IP network that you want to add the Corente Services Gateway instance to.
    • IP Network Address: This field is displayed when you select the Dual-homed interface type. Select the IP address for your gateway instance. The IP address you specify must belong to the subnet of the specified IP network. An available IP address is allocated by default. You can specify a different LAN IP address, if required.
    • Subnets: Enter a comma-separated list of subnets (in CIDR format) that should be reachable using this gateway. If you selected the Dual-homed interface type, you can enter the subnets of your IP networks. Ensure that all the IP networks you specify here belong to the same IP network exchange. The subnet of the IP network specified in the IP Network field is added by default. Don’t modify or delete this subnet in this field.
    • Add reachable IP networks: (Optional) This field is displayed when you select the Dual-homed interface type. You can select additional IP networks that should be reachable using this gateway. Ensure that the IP networks that you specify here, and the IP network that the Corente Services Gateway is added to, all belong to the same IP network exchange. See Adding an IP Network to an IP Network Exchange.

      You must also add a route on the gateway to the subnet of each additional IP network. You can’t do this using the web console. Use App Net Manager to add this route. See Adding IP Networks to an Existing VPN Connection in Setting Up VPN from a Third-Party Gateway to an IP Network in Oracle Cloud.

      Note:

      You must also add the subnets that you specify here to the list of destination IP addresses that you specify in your third-party device.

  6. Click Create.

A Corente Services Gateway instance is created. The required orchestrations are created and started automatically. For example, if you specified the name of the Corente Gateway instance as CSG1, then the following orchestrations are created:

  • vpn–CSG1–launchplan: This orchestration creates the instance using the specified image, and associates the instance interfaces with the shared network and, for a dual-homed gateway, with the specified IP network.

  • vpn–CSG1–bootvol: This orchestration creates the persistent bootable storage volume.

  • vpn–CSG1–secrules: This orchestration creates the required security list, security applications, and security rules.

  • vpn–CSG1–master: This orchestration specifies relationships between each of the nested orchestrations and starts each orchestration in the appropriate sequence.

While the Corente Services Gateway instance is being created, the instance status displayed in the Instance column on the VPN Gateways page is Starting. When the instance is created, its status changes to Ready.

To use this gateway in a VPN connection, add a third-party device and then create a connection. See Registering a Third-Party VPN Device and Connecting the Cloud Gateway with the Third-Party Device.

You can also update the gateway instance to modify the reachable routes, or delete the gateway instance if you no longer require this gateway. See Modifying the Reachable Subnets for a VPN Gateway or Deleting a VPN Gateway.

Note:

You can list the gateway instance and view details on the Instances page, or view the corresponding orchestrations on the Orchestrations page. However, it is recommended that you always use the VPN Gateways page to manage your gateway instances.

Registering a Third-Party VPN Device

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

To establish a VPN connection to your Compute Classic instances, after creating a Corente Services Gateway instance, register a VPN device to provide information about the third-party VPN gateway used in your data center.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Customer Devices.
  4. Click Create VPN Device.
  5. Select or enter the required information:
    • Name: Enter a name for the third-party VPN device.
    • Type: Select a supported third-party VPN device from the list.
    • Model: Enter the model of your third-party VPN device.
    • WAN IP Address: Enter the IP address of the WAN interface of your third-party VPN device.
    • Visible IP Address: Enter the public IP address of your third-party VPN device that the Corente Services Gateway should connect to. If you use network address translation (NAT), then this IP address would be different from the WAN IP address. Otherwise, the visible IP address would be the same as the WAN IP Address.
    • Subnets: Enter (in CIDR format) a comma-separated list of subnets in your data center that should be reachable using this third-party device.
    • PFS: This option is selected by default. If your third-party device supports Perfect Forward Secrecy (PFS), retain this setting to require PFS.
    • DPD: This option is selected by default. If your third-party device supports Dead Peer Detection (DPD), retain this setting to require DPD.
  6. Click Create.
    A record of your third-party VPN device is created. Next, to use this VPN device to establish a VPN connection between your data center and your Compute Classic instances, create a VPN connection. See Connecting the Cloud Gateway with the Third-Party Device.

Connecting the Cloud Gateway with the Third-Party Device

Not Oracle Cloud at Customer This topic does not apply to Oracle Cloud at Customer.

After you’ve created a Corente Services Gateway instance and added a third-party device, to establish a VPN connection between your data center and your Compute Classic instances you must connect the cloud gateway with the third-party VPN device.

Prerequisites

  • You must have already created the cloud gateway that you want to use. See Creating a Cloud Gateway.

  • You must have already configured your third-party VPN device in your data center. See Third-Party VPN Device Configuration.

  • You must have already added the third-party VPN device that you want to connect to in your data center. See Registering a Third-Party VPN Device.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand VPN, expand Corente, and then click Connections.
  4. Click Create VPN Connection.
  5. Select or enter the required information:
    • Gateway: Select the Corente Services Gateway that you want to use. Each Corente Services Gateway can be used in multiple connections. However, each connection must reach distinct destination subnets.
    • Device: Select the third-party device that you want to use. Each device can be used in multiple connections. However, each connection must reach distinct destination subnets.

    • IKE ID: The Internet Key Exchange (IKE) ID. Only IKE v1 in Main Mode is supported. The IKE ID can be the name or IP address used to identify the Corente Services Gateway on the third-party device. Alternatively, you can specify a string that you want to use as the IKE ID.

      Select one of the following:

      Note:

      The third-party device that you use might not support all of the following options for IKE ID. Select the appropriate option for your device.

      • Gateway Name: The name of the Corente Services Gateway instance in the format Corente_Domain_name.Corente_Services_Gateway_instance_name. The name is auto-populated when you select this option.

      • Gateway IP Address: The private IP address (on the shared network) of the instance hosting the Corente Services Gateway. The IP address is auto-populated when you select this option. Note, however, that this address will change each time the instance is re-created.

      • User-Defined IKE ID: Enter text that you want to use as the IKE ID. You can specify either an alternative IP address, or any text string. If you specify a text string, you must prefix the string with @. For example, if you want to specify the text IKEID-for-VPN1, enter @IKEID-for-VPN1. If you specify an IP address, don’t prefix it with @. The IKE ID is case sensitive and can contain a maximum of 255 ASCII alphanumeric characters including special characters, period (.), hyphen (-), and underscore (_). The IKE ID can’t contain embedded space characters.

        Note:

        If you specify the IKE ID, ensure that you specify the Peer ID type as Domain Name on the third-party device in your data center. Other Peer ID types, such as email address, firewall identifier or key identifier, aren’t supported.

    • Shared Secret: The shared secret, also called the pre-shared key (PSK) on some devices, is used while setting up the VPN connection to establish the authenticity of the Corente Services Gateway that is requesting the VPN connection. You must enter the same shared secret here and on your third-party device. The shared secret must contain only alphanumeric characters.

    The VPN connection is created.

    If this connection uses a dual-homed VPN gateway, then an IP route is created automatically. The destination address of this route is the subnet address of the local side of the third-party device that will participate in the VPN connection. This route uses the vNIC of the Corente Services Gateway instance as the next hop vNICset, to route traffic from the IP network to the on-premises VPN device. This allows devices in the on-premises subnet to communicate with devices in the IP network over VPN.

    An orchestration is created automatically to manage this vNICset and IP route and you can view this orchestration on the Orchestrations page of the web console. The name of the orchestration indicates the name of the Corente Services Gateway instance as well as the name of the third-party device used in the connection. For example, if you create a VPN connection between a Corente Services Gateway CSG1 and a third-party device TPD1, the name of the route and the corresponding orchestration would be: vpn-CSG1–to–TPD1.