Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Connect On-premises to OCI using an IPSec VPN with Hub and Spoke VCN Routing Architecture

Introduction

Oracle Cloud Infrastructure (OCI) makes it easy to configure VPN connectivity between your on-premises environment and your OCI environment, however they can create some complexities in routing when using a hub and spoke topology in OCI. In this tutorial, we will set up an Internet Protocol Security (IPSec) VPN connection to OCI, and configure routing to ensure that traffic from the on-premises environment is evaluated by firewall policies before connecting to resources in OCI.

The following images illustrate the traffic flows.

• On-premises to Spoke A Connectivity

  

• Spoke B to On-premises Connectivity

  

Objectives

• Connect an on-premises location to the OCI environment using an IPSec VPN tunnel. Given that our OCI environment utilizes a hub and spoke routing architecture, we will also configure the necessary routing to ensure that traffic flows correctly and verify the connectivity through basic ping tests.

Prerequisites

Complete the following tutorials:

• Deploy a Windows Instance in Oracle Cloud Infrastructure.

• Install a pfSense Firewall in Oracle Cloud Infrastructure.

• Route Hub and Spoke VCN Routing with a pfSense Firewall in the Hub VCN.

Task 1: Prepare the On-premises Environment

• OCI Topology

  In this tutorial, the OCI topology is the hub and spoke VCN routing topology. For more information, see Route Hub and Spoke VCN with pfSense Firewall in the Hub VCN.

  The following image illustrates the visual representation of the starting point.

  

• On-premises Topology

  To simulate an on-premises environment, I built a sample set up, created two VPS instances and installed pfSense on each.

  One pfSense instance will serve as the IPSec Customer-premises equipment (CPE) termination point, while the other pfSense instance will function as the internal client.

  Set up of this environment is not in the scope of this tutorial.

  

• OCI and On-premises Final Topology

  When we connect on-premises environment with the OCI environment the topology will look like this:

  

Task 2: Create a CPE in OCI

Before creating an IPSec VPN connection, we need to first create a CPE object in OCI.

• Go to the OCI Console.

  1. Click the hamburger menu (≡) from the upper left corner.
  2. Click Networking.
  3. Click Site-to-Site VPN.

  

  1. Click Customer-premises equipment.
  2. Click Create CPE.

  

• In Create CPE, enter the following information.

  1. Enter the Name for the CPE.
  2. Enter IP address, this IP address is the public IP address of the device that is going to be used to set up the VPN on-premises.
  3. Click Create CPE.

  

  1. Notice that the new CPE object in OCI is created.
  2. Click Customer Connectivity to return to the customer connectivity page.

  

Task 3: Create a Site-to-Site VPN in OCI

To configure the OCI Site-to-Site VPN, we need to perform the configuration on two ends, the OCI side and the on-premises side.

• Let us configure the OCI side.

  1. Click Site-to-Site VPN.
  2. Click Create IPSec connection.

  

  1. Enter the Name for the IPSec connection.
  2. Select the CPE created in Task 2.
  3. Select the DRG that will be used to terminate this IPSec connection.
  4. Select Routes to your on-premises network (LAN) on your on-premises location that you want to route traffic to from your OCI networks.
  5. Scroll down.

  

  1. In IKE version, select IKEv1.
  2. In Routing Type, select Static routing.
  3. Scroll down.

  

  1. Click Show advanced options.
  2. Scroll down.

  

• In OCI, we need to create and configure two tunnels by default. Let us configure the first Tunnel.

  1. Click right-angle bracket (>) for Phase one (ISAKMP).configuration.
  2. Scroll down.

  

• In the Phase one (ISAKMP) configuration section, enter the following information.

  1. Select Set custom configurations.
  2. In Custom encryption algorithm, select AES_256_CBC.
  3. In Custom authentication algorithm, select SHA_256.
  4. In Custom Diffie-Hellman Group, select GROUP 2.
  5. Leave IKE session key lifetime in seconds default to 288500 seconds.
  6. Click right-angle bracket (>) for Phase two (IPSec) configuration.
  7. Scroll down.

  

• In the Phase two (IPSec) configuration section, enter the following information.

  1. Select Set custom configurations.
  2. In Custom encryption algorithm, select AES_256_CBC.
  3. In Custom authentication algorithm, select HMAC_SHA2_256_128.
  4. Leave IPSec session key lifetime in seconds default to 3600 seconds.
  5. Select Enable perfect forward secrecy.
  6. In Perfect forward secrecy Diffie-Hellman Group, select GROUP 5.

  

• Configure the second tunnel.

  1. Use the same configuration details used by the first tunnel.
  2. Scroll down.

  

• Click Create IPSec connection.

  

• Note that both IPSec tunnels Lifecycle state is PROVISIONING .

  

  1. Note that the state is changed to AVAILABLE.
  2. Note the Oracle VPN IP address that we need to save. These IP addresses will be required to configure the on-premises tunnel.

  

  Note: We will only make use of one of the two IPSec tunnels and therefore, we will only focus on the first tunnel configuration, so only collect and save the first IP address of the first IPSec tunnel.

• Click CPE & Tunnels information.

  

• Click Show.

  

  1. Note that the Shared Secret key is autogenerated. Save this secret key, this is required to configure the other side of the tunnel (on-premises).
  2. Click Close.

  

Task 4: Configure Hub and Spoke VCN Routing for the On-premises Subnet

To route network traffic coming from the on-premises network within our Hub and Spoke network architecture, we need to make some changes to Dynamic Routing Gateways (DRG) and VCN route tables.

The following image illustrates the routing tables so this is our starting point.

Task 4.1: Update the Route Import

• Update the route distribution group (DRG_RDG_IMPORT) in the DRG. Add the IPSec tunnel attachment type (priority 4).

  Priority	Match Type	Match Criteria	Action
  1	Attachment	SPOKE_VCN-A_ATTACHMENT	ACCEPT
  2	Attachment	SPOKE_VCN-B_ATTACHMENT	ACCEPT
  3	Attachment	SPOKE_VCN-C_ATTACHMENT	ACCEPT
  4	Attachment Type	IPSec Tunnel	ACCEPT

• Go to the OCI Console.

  1. Click the the hamburger menu (≡) from the upper left corner.
  2. Click Networking.
  3. Click Dynamic Routing Gateway.

  

  1. Click Dynamic Routing Gateway.
  2. Click the DRG that we are using for our VCN routing environment.

  

  1. Click Import route distribution.
  2. Click import route distribution (DRG_RDG_IMPORT).

  

• Make sure to add the new route distribution statement.

  1. Notice the route distribution statement is added successfully.
  2. Click Dynamic routing gateways details to return to the DRG details page.

  

• The following image illustrates the visual representation of what we have created so far.

  

• We already imported the route in the DRG route table DRG_RT_HUB_VCN_3.

  Note: This DRG route table (DRG_RT_HUB_VCN_3) and route table attachment will make sure that all networks from the spokes and on-premises (IPSec) are known and learned on the DRG so that the DRG knows what networks are available on the spokes and where to route the spoke networks to.

  1. Click DRG route tables to verify.
  2. Click DRG_RT_HUB_VCN_3 route table.

  

• Click Get all route rules.

  

  1. Notice that the route from on-premises (10.222.10.0/24) is visible in the table. This means that the DRG knows how to reach the on-premises network (10.222.10.0/24) that is through the IPSec tunnel.
  2. Click Close.

  

• Click DRG to return to the DRG details page.

  

Task 4.2: Create a new Hub VCN Route Table and Associate with the IPSec DRG Attachment

• Create a new route table (DRG_RT_IPSEC_VC_1) in the DRG.

  Destination CIDR	Next Hop Attachment Type	Next Hop Attachment Name
  172.16.0.0/24	Virtual Cloud Network	HUB_VCN_ATTACHMENT
  172.16.1.0/24	Virtual Cloud Network	HUB_VCN_ATTACHMENT
  172.16.2.0/24	Virtual Cloud Network	HUB_VCN_ATTACHMENT
  172.16.3.0/24	Virtual Cloud Network	HUB_VCN_ATTACHMENT

• Go to the OCI Console.

  1. Click DRG route tables.
  2. Click Create DRG route table.

  

  1. Enter the Name for the DRG route table.
  2. In Static route rule, enter the following information to add a new static rule.
     • Destination CIDR Block: Enter 172.16.0.0/24.
     • Next hop attachment type: Select Virtual Cloud Network.
     • Next hop attachment: Select hub VCN.
  3. Click + Another Rule.

  

  1. Add a new static rule.
     • Destination CIDR Block: Enter 172.16.1.0/24.
     • Next hop attachment type: Select Virtual Cloud Network.
     • Next hop attachment: Select hub VCN.
  2. Click + Another Rule.

  

  1. Add a new static rule.
     • Destination CIDR Block: Enter 172.16.2.0/24.
     • Next hop attachment type: Select Virtual Cloud Network.
     • Next hop attachment: Select hub VCN.
  2. Click + Another Rule.

  

  1. Add a new static rule.
     • Destination CIDR Block: Enter 172.16.3.0/24.
     • Next hop attachment type: Select Virtual Cloud Network.
     • Next hop attachment: Select hub VCN.
  2. Click Create DRG route table.

  

• After a few minutes, route table will be created.

  

  1. Notice that the new DRG route table (DRG_RT_IPSEC_VC_1) is created.

  

• The following image illustrates the visual representation of what we have created so far.

  

• We need to associate/attach/bind the route table to the DRG IPSec tunnel attachments.

  Note: This DRG route table (DRG_RT_IPSEC_VC_1) and route table attachment will make sure that all networks from the spokes are reachable from on-premises. This is also a way to control the routing and only allow routing to the spokes you want to be able to route to.

  1. Click IPSec tunnel attachments.
  2. Click the first attachment.

  

  1. Notice that the IPSec attachment is using the autogenerated default DRG route table.
  2. Click Edit.

  

  1. Select the DRG route table created above (DRG_RT_IPSEC_VC_1).
  2. Click Save changes.

  

  1. Notice that a new DRG route table is active on the IPSec attachment of the first IPSec tunnel.
  2. Click DRG to return to the DRG details page.

  

• The following image illustrates the visual representation of what we have created so far.

  

  Note: We will not update the DRG route table on the second IPSec tunnel attachment as we do not use the second tunnel in this tutorial.

Task 4.3: Update the Hub VCN Private Subnet Route Table

The last route table to update is the VCN route table that is associated with the private subnet in the hub VCN.

• Update the route table (VCN_RT_HUB_PRIVATE_SUBNET) in the hub VCN.

  Add the on-premises network to the (VCN_RT_HUB_PRIVATE_SUBNET) table.

  Destination	Target Type	Target	Route Type
  0.0.0.0/0	NAT Gateway	hub-nat-gw	Static
  172.16.1.0/24	Dynamic Route Gateway	DRG	Static
  172.16.2.0/24	Dynamic Route Gateway	DRG	Static
  172.16.3.0/24	Dynamic Route Gateway	DRG	Static
  10.222.10.0/24	Dynamic Route Gateway	DRG	Static

  Note: This VCN route table (VCN_RT_HUB_PRIVATE_SUBNET) will route traffic that is destined for the spokes and on-premises IPSec network to the firewall. Traffic that is destined to the internet (all traffic other than spoke networks) to the NAT gateway will also be routed by this route table.

• Go to the OCI Console.

  1. Click the the hamburger menu (≡) from the upper left corner.
  2. Click Networking.
  3. Click Virtual cloud networks.

  

• Click the hub VCN.

  

  1. Click Route Tables.
  2. Click the VCN_RT_HUB_PRIVATE_SUBNET route table.

  

• I have already added the new route rule, so make sure you add it. When you successfully add in the route rule it should look like this.

  

• The following image illustrates the visual representation of what we have created so far.

  

Task 5: Create a Site-to-Site VPN on On-premises using pfSense

We have configured the OCI side of the IPSec tunnel. Let’s configure the on-premises side. We are using a pfSense firewall as the IPSec termination endpoint.

Task 5.1: Create the IPSec Tunnel (Phase 1 ISAKMP)

• Go to the pfSense portal.

  1. Click the VPN drop-down menu.
  2. Click IPSec.

  

  1. Click Tunnels.
  2. Click + Add P1.

  

  1. Enter a Description.
  2. In Key exchange version, select IKEv1.
  3. In Internet Protocol, select IPv4.
  4. In Interface, select WAN.
  5. In Remote Gateway, enter the public IP address, which can be retrieved from the OCI Console. Go to Networking, Customer Connectivity, Site-to-Site VPN and click VPN.
  6. Scroll down.

  

• In Phase 1 Proposal section, enter the following information.

  1. In Authentication Method, select Mutual PSK.
  2. In Negotiation mode, select Main.
  3. In My Identifier, select IP address and enter your local public IP address of the on-premises side retrieved in Task 3.
  4. In Peer Identifier, select IP address and enter your remote public IP address of the OCI side.
  5. Enter the (Pre) Shared secret key retrieved in Task 3.
  6. Configure the Encryption Algorithm:
     • Algorithm: Select AES.
     • Key Length: Select256 bits.
     • Hash: Select SHA256.
     • DH Group: Select 2 (1024 bit). - Scroll down.

  

  1. In Life Time, enter 28800 seconds.
  2. In Child SA Close Action, select Restart/Reconnect.
  3. Scroll Down.

  

• Click Save.

  

  1. Notice that the phase 1 IPSec configuration has been configured.
  2. Click Apply Changes to commit the changes.

  

  1. Notice that the changes have been applied successfully.
  2. Click Show Phase 2 Entries.

  

Task 5.2: Create the IPSec Tunnel (Phase 2 IPSec)

• Click + Add P2.

  

  1. Enter a Description.
  2. In Mode, select Routed (VTI).
  3. Select the local (on-premises) network.
  4. Select the remote (OCI) network.
  5. Scroll down.

  

  1. In Protocol, select ESP.
  2. In Encryption Algorithm, select AES 256 bits.
  3. In Hash Algorithm, select SHA256.
  4. In PFS key group, select 5 (1536 bit).
  5. In Life Time, enter 3600 seconds.
  6. Scroll down.

  

• Click Save.

  

  1. Notice that the phase 1 IPSec configuration has been configured.
  2. Click the statistics.

  

• Notice that the status is Established.

  

• Let’s verify the tunnel state on OCI side. Go to the OCI Console, navigate to Networking, Customer Connectivity, Site-to-Site VPN and click the VPN. Notice that the IPSec status of the first tunnel is Up.

  

Task 5.3: Enable the Tunnel Interface

• We need to enable the tunnel interfaces on on-premises side. Go to the pfSense Portal.

  1. Click the Interfaces drop-down menu.
  2. Click Assignments.
  3. Note that a new VTI interface is available.
  4. Click + Add to add the interface.

  

  1. Note that the interface has been added.
  2. Click added tunnel interface (OPT1).

  

  1. Select Enable interface to enable the interface.
  2. Click Save.

  

Task 5.4: Open the Firewall Rules for IPSec

• To allow IPSec traffic to flow through the tunnel we need to add some firewall rules.

  1. Click the Firewall drop-down menu.
  2. Click Rules.

  

  1. Click IPSec.
  2. Note that there are no firewall rules related to IPSec.
  3. Click Add.

  

• Enter the following information.

  1. Action: Select Pass.
  2. Interface: Select IPSec.
  3. Address Family: Select IPv4.
  4. Protocol: Select Any.
  5. Source: Select Any.
  6. Destination: Select Any.
  7. Scroll down.

  

• Click Save.

  

  1. Note that the new rule is in place.
  2. Click Apply Changes to commit the changes.

  

• Note that the changes have been applied successfully.

  

Task 5.5: Configure IPSec Routing

In this task, we will configure routing so that the pfSense firewall knows how to reach the OCI network through the IPSec tunnel and the OPT1 interface.

• Go to the pfSense Portal.

  1. Click the System drop-down menu.
  2. Click Routing.
  3. In Default gateway IPv4, select the WAN_DHCP or your default gateway that you want to use as the first priority.
  4. Click + Add to add a new gateway.

  

  1. In Interface, select OPT1 (the tunnel interface).
  2. In Address Family, select IPv4.
  3. Enter a Name.
  4. In Gateway, do not specify any IP address, leave blank.
  5. Scroll down.

  

• Click Save.

  

  1. Note that a new gateway has been added for our IPSec tunnel.
  2. Click Static Routes.

  

• Click + Add to add a new static route.

  

  1. Enter Destination network of the OCI networks.
  2. Select Destination subnet of the OCI networks.
  3. Select the Gateway created above.
  4. Click Save.

  

• Note that a new static route is added that will route traffic destined for the OCI networks using the tunnel interface.

  

Task 6: Configure On-premises Routing

We have routing working on pfSense, that is the IPSec VPN endpoint. We need to make sure that the rest of the on-premises network knows how to reach the OCI networks. So we need to route all traffic destined to OCI to the pfSense VPN endpoint.

Configure routing on the test On-premises Compute Client

We are using a pfSense instance to simulate the on-premises network.

Note: This is a different instance than the one we just used to configure the IPSec tunnel on!

• Go to the PfSense Portal.

  1. Click the System drop-down menu.
  2. Click the Routing.

  

  1. Select WAN_DHCP or your default gateway that will be used as the first priority.
  2. Click + Add to add a new gateway.

  

  1. In Interface, select LAN.
  2. In Address Family, select IPv4.
  3. Enter a Name.
  4. Enter the LAN IP address of the other pfSense instance, the one that terminates the IPSec tunnel.
  5. Scroll down.

  

• Click Save.

  

  1. Note that a new gateway is added for our other pfSense instance.
  2. Click Static Routes.

  

• Click + Add to add a new static route.

  

  1. Select Destination network of the OCI networks.
  2. Select Destination subnet of the OCI networks.
  3. Select the Gateway created above.
  4. Click Save.

  

• Note that a new static route is added that will route traffic destined for the OCI networks using the other pfSense instance.

  

Task 7: Verify the Connectivity

We have configured the VPN, added the correct firewall rules, and configured routing, now test the connectivity.

Task 7.1: Ping from On-premises to Spoke VCN A

• Due to routing configuration:

  • The traffic will be sent to the (on-premises) pfSense VPN instance.
  • The traffic is sent through the IPSec VPN tunnel to the DRG.
  • The DRG will then route the traffic to the OCI pfSense firewall.
  • The OCI pfSense firewall will allow or deny the traffic based on the configured firewall rules.
  • When the ICMP traffic is accepted it will route the traffic to the Spoke instance.

  

• Perform a ping test from the VPN pfSense on-premises instance.

  1. Click the Diagnostics drop-down menu.
  2. Click Ping.
  3. Enter the Hostname which is an IP address of the Spoke VCN A instance.
  4. In IP Protocol, select IPv4.
  5. In Source address, select the LAN interface.
  6. In Maximum number of pings, select 3.
  7. Click Ping.
  8. Notice that we have 0% Packet loss.

  

• We can also do a test from the other pfSense instance (the Client). Perform a ping test from the Client pfSense on-premises instance.

  1. Click the Diagnostics drop-down menu.
  2. Click Ping.
  3. Enter the Hostname which is an IP address of the Spoke VCN A instance.
  4. In IP Protocol, select IPv4.
  5. In Source address, select the LAN interface.
  6. In Maximum number of pings, select 3.
  7. Click Ping.
  8. Note that we have 0% Packet loss.

  

Task 7.2: Ping from Spoke VCN B to On-premises

• Due to routing configuration:

  • The traffic will be sent to the DRG.
  • The DRG will then route the traffic to the OCI pfSense firewall.
  • The OCI pfSense firewall will allow or deny the traffic based on the configured firewall rules.
  • When the ICMP traffic is accepted it will route the traffic back to the DRG.
  • The traffic is sent through the IPSec VPN tunnel to the on-premises pfSense instance.

  

  1. Connect to the spoke B VCN instance.
  2. Do a ping to the LAN IP address of the on-premises pfSense VPN instance (10.222.10.1).
  3. Notice that we have 0% packet loss so the ping is successful.
  4. Do a ping to the LAN IP address of the on-premises pfSense client instance (10.222.10.100).
  5. Notice that we have 0% packet loss so the ping is successful.

  

Task 7.3: Check IPSec VPN Network Statistics on OCI

• Go to the OCI Console.

  1. Click the the hamburger menu (≡) from the upper left corner.
  2. Click Networking.
  3. Click Site-to-Site VPN.

  

• Click the VPN.

  

• Click the first tunnel.

  

  1. Note that the tunnel state shows a constant 1 in the binary state, indicating that the tunnel is up constantly.
  2. Scroll down.

  

  1. Note that the graph is peaking for the Packets Received and Packets Sent, this is due to the ping we did in Task 7.1.
  2. Note that the graph is peaking for the Packets Received and Packets Sent, this is due to the ping we did in Task 7.2.

  

Task 7.4: Check IPSec VPN Network Statistics on the pfSense VPN Instance (On-premises)

• Go to the PfSense Portal.

  1. Click the Status drop-down menu.
  2. Click IPSec.

  

• Click Show Child SA Entries (1 connection).

  

• Notice the Packets and Bytes came in and went out.

  

Network Visualizer

As we have added the VPN, we can use the Network Visualizer on the OCI Console to get a network overview.

• Go to the OCI Console.

  1. Click the the hamburger menu (≡) from the upper left corner.
  2. Click Network.
  3. Click Network Visualizer.

  

• You can see four VCNs (one Hub and three Spokes) and the on-premises connected with VPN.

  

Acknowledgments

• Author - Iwan Hoogendoorn (OCI Network Specialist)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Connect On-premises to OCI using an IPSec VPN with Hub and Spoke VCN Routing Architecture

G10283-01

June 2024

Copyright ©2024,

Oracle and/or its affiliates.