8 Managing VPN

Topics

• Listing VPN Gateways
• Modifying the Reachable Subnets for a VPN Gateway
• Deleting a VPN Gateway
• Listing Third-Party VPN Devices
• Updating a Third-Party Device
• Deleting a Third-Party Device
• Listing VPN Connections
• Updating a VPN Connection
• Stopping, Restarting, and Deleting a VPN Connection

Note:

You must have the Compute_Operations role to access the pages under the VPN tab. If you don’t have this role, you won’t be able to view these pages.

Listing VPN Gateways

After you’ve created one or more VPN gateways, you can see information about all your VPN gateways by using the web console.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand VPN, expand Corente, and then click VPN Gateways.

The VPN Gateways page displays a list of all your Corente Services Gateways, along with information about each gateway such as the interface type and status of the gateway.

Note:

This page also displays Corente Services Gateways deployed on hosts outside of Compute Classic.

Each gateway can have any of the following statuses:

Status	Description
Active	The Corente Services Gateway instance is running.
Inactive	The Corente Services Gateway instance has been shut down or is being restarted. Action: If the instance is restarting, wait for it to return to the running state. If the instance has been shut down, start it to return to the Active state.
Download	The configuration file for the Corente Services Gateway is available to download, but hasn’t been downloaded to the gateway instance. Action: Check that the required security rules or ACLs are in place and enabled, to allow the gateway instance to download the configuration file.
Downloaded	The configuration file for the Corente Services Gateway has been downloaded but not activated. This status usually indicates that the Corente Services Gateway is not yet installed or started. Action: Check that the gateway instance is running or restart the instance if required. Check that the required security rules or ACLs are in place and enabled.
Upgrade	A software upgrade is available for the Corente Services Gateway. Action: Schedule a maintenance time for the Corente Services Gateway in App Net Manager. The upgrade will occur automatically during the scheduled maintenance time. See the App Net Manager online help for more information.
Disconnected	The Corente Services Gateway has lost connectivity, without being powered off safely. Action: Check your network configuration to see if outbound connectivity has been blocked by firewall rules.
Denied	The Corente Services Gateway connection has been denied. Action: Contact Oracle Support.
New	A new Corente Services Gateway instance has been created using App Net Manager, but the configuration of this new gateway instance hasn’t been completed. Action: Complete and save the configuration of the new gateway using App Net Manager. The new configuration will then be downloaded.
Unknown	The Corente Services Gateway is in an unknown state. Action: Check the status again after some time, or contact Oracle Support.

Modifying the Reachable Subnets for a VPN Gateway

You must specify the list of reachable subnets while creating a VPN gateway. If required, you can modify this list of subnets at any time after creating a VPN gateway.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand VPN, expand Corente, and then click VPN Gateways.
4. Go to the VPN gateway for which you want to modify the set of subnets. From the menu, select Update.
5. Modify the list of reachable subnets or IP networks as required, and then click Update.

   Note:

   You can’t modify or delete the subnet of the IP network to which your gateway belongs.

   The list of subnets or IP networks reachable by the VPN gateway is updated. If you added IP networks, ensure that the IP networks that you specify here, and the IP network that the Corente Services Gateway is added to, all belong to the same IP network exchange. See Adding an IP Network to an IP Network Exchange in Using Oracle Cloud Infrastructure Compute Classic.

   You must also add a route on the gateway to the subnet of each additional IP network. You can’t do this using the web console. Use App Net Manager to add this route.

Deleting a VPN Gateway

If you no longer require a VPN connection, you can stop the connection and delete the VPN gateway instance. Each VPN gateway instance is managed by a master orchestration that can be used to start or stop several nested orchestrations. To delete a VPN gateway instance, go to the VPN Gateways page in the web console and stop the master orchestration.

Prerequisites

• The VPN gateway that you want to delete must not be connected to any device. If the gateway is used in a VPN connection, stop the connection first. See Stopping, Restarting, and Deleting a VPN Connection.

• To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand VPN, expand Corente, and then click VPN Gateways.
4. Go to the Corente Services Gateway instance that you want to delete.
   • If you want to delete only the gateway instance, from the menu, select Stop. The orchestration that controls the gateway instance is stopped. This deletes the Corente Services Gateway instance.
   • If you want to delete the gateway instance as well as other associated resources, from the menu, select Stop All. The master orchestration that controls the gateway instance and its associated resources is stopped. This deletes the gateway instance as well as resources created by the nested orchestrations, such as the bootable storage volume and networking objects.

   Note:

   Resources created outside the master orchestration, such as the public IP address reservation or IP networks, aren’t deleted when you stop the master orchestration for the gateway instance. If you no longer need those resources, remember to delete them after you’ve stopped the master orchestration.

   After you’ve deleted a gateway instance, it continues to be listed on the VPN Gateways page, with the status Stopped. At any time, you can restart the master orchestration to re-create the cloud gateway instance and its associated resources.

5. If you want to delete the orchestrations associated with your gateway instance, go to the gateway instance and from the menu, select Delete.
   The master orchestration and the associated orchestrations for the instance, storage volumes, and security rules are deleted. The VPN gateway is no longer listed on the VPN Gateways page.

Listing Third-Party VPN Devices

After you’ve added third-party devices, you can see information about all your third-party devices by using the web console.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand VPN, expand Corente, and then click Customer Devices.

The Customer Devices page displays a list of all the third-party devices that you’ve added, along with information about each device such as its model and type and its IP address.

Updating a Third-Party Device

After you’ve added a third-party device, if required, you can modify the information associated with a third-party devices by using the web console.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand VPN, expand Corente, and then click Customer Devices.
4. Go to the device that you want to update. From the menu, select Update.
5. In the Update VPN Device dialog box, modify the information as required. Note that you can’t change the device name or type. If you need to modify that information, add a new device. You can modify the following device information:
   • Model: The model of your third-party VPN device.
   • WAN IP Address: The IP address of the WAN interface of your third-party VPN device.
   • Visible IP Address: The public IP address of your third-party VPN device that the Corente Services Gateway should connect to. If you use network address translation (NAT), then this IP address would be different from the WAN IP address. Otherwise, the visible IP address would be the same as the WAN IP Address.
   • Subnets: A list of IP addresses or subnets in your data center that should be reachable by this third-party device.
   • PFS: Perfect Forward Secrecy.
   • DPD: Dead Peer Detection.
6. Click Update. The device information is updated.

Deleting a Third-Party Device

After you’ve added a third-party device, if you no longer want to use the device in a VPN connection, you can delete the device information by using the web console.

Prerequisites

• The device that you want to delete must not be used in a VPN connection. If the device is used in a VPN connection, stop the connection first. See Stopping, Restarting, and Deleting a VPN Connection.

• To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Procedure

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand VPN, expand Corente, and then click Customer Devices.
4. Go to the device that you want to delete. From the menu, select Delete.
   The information about the selected device is deleted and the device is no longer displayed on the Customer Devices page.

Listing VPN Connections

After you’ve created a connection between your VPN gateway and your third-party device, you can see a list of connections by using the web console.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand VPN, expand Corente, and then click Connections.

When a dual-homed gateway is used in a connection, then an IP route is created with the subnet of the third-party device as the destination. This IP route uses the vNIC of the cloud gateway as the next hop vNICset, to route traffic from the IP network to the third-party VPN device. An orchestration is created to manage the required vNICset and IP route and the IP Route column displays the status of the route.

The Connections page also shows the status of each of your VPN connections. If a VPN connection has any status other than Up, check the status again after some time. If the status doesn’t change to Up, then contact Oracle Support.

Updating a VPN Connection

After you’ve created a connection between a VPN gateway and a third-party device, if required, you can modify the IKE ID or the shared secret by updating the VPN connection.

The IKE ID and shared secret that you enter here must match the corresponding entries on the third-party device used in this connection. If you make any changes to these fields, ensure that the corresponding changes are made on the connected third-party device.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand VPN, expand Corente, and then click Connections.
4. Go to the connection that you want to modify. From the menu, select Update.
5. Update the IKE ID or modify the shared secret as required, and then click Update.
   The IKE ID or shared secret is updated.

   Note:

   The IKE ID and shared secret are used to identify and authenticate the Corente Services Gateway on the third-party device. If you modify these fields, ensure that the information you enter here matches the corresponding entries on the third-party device used in this connection.

Stopping, Restarting, and Deleting a VPN Connection

After you’ve created a connection between a VPN gateway and a third-party device, if you no longer want to use this VPN connection, you can stop the connection. You can then restart the VPN connection later, or delete it.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud Infrastructure Classic Console. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand VPN, expand Corente, and then click Connections.
4. You can stop and restart a connection by stopping and starting the orchestration that controls the vNICset and route.
   • To stop a connection, delete the route between the IP network and the destination subnet. This effectively prevents traffic from the IP network from accessing the VPN connection. To stop the route orchestration, go to the connection that you want to stop. From the menu, select Stop. The route orchestration is stopped.
   • To restart a VPN connection, restart the route orchestration. Go to the connection that you want to restart. From the menu, select Start. The route orchestration is started, and traffic from the IP network can once again access the VPN connection.
5. To delete a VPN connection, go to the connection that you want to delete. From the menu, select Delete.
   This ends the partnership between the specified VPN gateway and the third-party device and deletes the route orchestration. The VPN connection is no longer listed on the Connections page.

After stopping or deleting a VPN connection, you can also delete the gateway instance or delete the information about the third-party device used in this connection. See Deleting a VPN Gateway or Deleting a Third-Party Device.