Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Set up an Oracle Cloud Infrastructure Site-to-Site VPN with Static Routing Between two OCI Regions

Introduction

When your applications, databases, or services are distributed across different Oracle Cloud Infrastructure (OCI) regions or tenants, the preferred method for enabling network communication between them is Remote Peering Connection (RPC) peering. If RPC peering is not feasible, an alternative is to establish an OCI Site-to-Site VPN IPSec connection. While OCI does not directly support creating an OCI Site-to-Site VPN IPSec using the Dynamic Routing Gateway (DRG), you can configure a custom VPN endpoint (like Libreswan) on one side and utilize the DRG on the other to achieve this connection.

You can also use this method if you need to set up an OCI Site-to-Site VPN between on-premises and OCI and do not want to use the DRG as the Virtual Private Network (VPN) endpoint but your own custom VPN endpoint.

Objectives

• Set up an OCI Site-to-Site VPN with static routing between two OCI regions using Libreswan as a Customer Premises Equipment (CPE) on one side and DRG on the other side.

  We will connect two different OCI regions using an IPSec VPN with two tunnels and with Equal Cost Multi-Path (ECMP) enabled. We will use a CPE with Libreswan software in one OCI region and the OCI Site-to-Site VPN configured on the DRG in the other region.

Prerequisites

• Create two OCI regions.

  • OCI Region 1 (Destination):

    • Virtual Cloud Network (VCN)
    • Private Subnet
    • DRG
    • VCN Attachments
    • Instances

    In this region the DRG will be the VPN endpoint and all traffic will be routed using the Internet connection of the DRG.

  • OCI Region 2 (Source):

    • VCN
    • Public Subnet
    • Internet Gateway
    • Instances

    In this region the Libreswan CPE (instance inside OCI) will be the VPN endpoint and all traffic will be routed using the Internet connection of the internet gateway.

  The following image illustrates what we have discussed so far.

  Note: Note that the Libreswan CPE is not on this image yet.

  

Task 1: Review the Destination OCI Region (VCN, Subnet, DRG, VCN Attachments and Instances)

In this task, we will check what we have in place to get started.

• VCN

  1. Review the destination OCI region. For this tutorial, it is Germany Central (Frankfurt) OCI region.

  2. Review the VCN, subnet and instance.

     

• Subnets

  • Review the private subnet to which instances will be attached.

    

• DRG

  • Review the DRG that will be used as a VPN endpoint to terminate the VPN.

    

• VCN Attachment

  • Review the VCN attachment, to make sure the VCN is attached to the DRG so that the DRG can route VPN traffic to the correct VCN, subnet, and instance.

    

• Instance

  • Review the instance that we will use as a network endpoint to perform our network tests.

    

The following image illustrates what we have created so far.

Task 2: Review the Source OCI Region (VCN, Public Subnet, Internet Gateway, and Instances)

• VCN

  1. Review the source OCI region. For this tutorial, it is Netherlands Northwest (Amsterdam) OCI region.

  2. Review the VCN, subnet and instance.

  

• Public Subnet

  1. Review the public subnet to which instances and the Libreswan VPN endpoint will be attached.

  2. Review the default route table for the VCN.

  

  Note: We need to have a public subnet here, as we need to make sure that the Libreswan VPN endpoint can communicate to the internet to set up the VPN connection with the other side.

• Internet Gateway

  1. Review the internet gateway to allow internet connectivity

  2. Review the default route table for the VCN.

  

• Route Table

  • Review the VCN route table, and make sure all traffic is routed to the internet gateway.

    

• Instances

  • Review the instance to use as a network endpoint to perform our network tests.

  • For both CLIENT and CPE we have used Oracle Linux 8 as the main Operating System.

    

The following image illustrates what we have created so far.

Task 3: Collect the Public IP Address of the CPE Instance from the Source OCI Region

• Go to the OCI Console.

  1. In the source OCI region we have deployed an instance that will be responsible for the VPN termination (VPN endpoint).

  2. Collect the public IP address that is configured on this VPN endpoint. For this tutorial, this public IP address starts with 143.

  

• The following image illustrates what we have created so far.

  

Task 4: Create a new CPE in the Destination OCI Region

• Go to the OCI Console, navigate to Networking, Customer Connectivity, Dynamic routing gateway and click the DRG.

  

  1. Click Customer premises equipment.
  2. Click Create CPE.

  

• Enter the following information.

  1. Name: Enter a name for the CPE.
  2. Public IP address: Enter public IP address collected in Task 3.
  3. Vendor: Select Libreswan.
  4. Platform/Version: Select the CPE platform version.
  5. Click Create CPE.

  

  1. Note that the CPE is now created.
  2. Note the public IP address of the CPE.

  

Task 5: Configure the OCI Site-to-Site VPN in the Destination OCI Region

• Go to the OCI Console.

  1. Click Site-to-Site VPN.
  2. Click Create IPSec connection.

  

• In the Create IPSec connection page, enter the following information.

  1. Name: Enter a name for the IPSec connection.
  2. Customer-premises equipment: Select the CPE created in Task 4.
  3. Dynamic routing gateway: Select the DRG.
  4. Routes to your on-premises network: Enter the Remote network that you want to route through the IPSec connection. For this tutorial, it is 10.222.10.0/24 network.
  5. Scroll down.

  

  1. Name: Enter a name for the first tunnel.
  2. IKE version: Enter the IKE version to be IKEv1.
  3. Routing type: Select Static Routing.
  4. Scroll down.

  

  1. Name: Enter a name for the second tunnel.
  2. IKE version: Enter the IKE version to be IKEv1.
  3. Routing type: Select Static Routing.
  4. Click Create IPSec connection.

  

Task 6: Collect the Public IP Address of the IPSec Tunnels in the Destination OCI Region and Download the CPE Configuration

• The IPSec connection is created, the public IP addresses for both IPSec tunnels will be available and we will need to configure the other side of the VPN.

• Click the Site-to-Site VPN created in Task 5.

  

  1. Note Tunnel 1 of the IPSec connection.
  2. Note down the public IP address for tunnel 1. For this tutorial, this IP address starts with 193.
  3. Note Tunnel 2 of the IPSec connection.
  4. Note down the public IP address for tunnel 2. For this tutorial, this IP address starts with 130.

  

• The following image illustrates what we have created so far.

  

Task 7: Configure the CPE Instance in the Source OCI Region and Install and Configure Libreswan

• Configure the CPE instance.

  1. Set up an SSH session for the CPE located in the source OCI region or VCN.
  2. Make sure you are logged in.

  

• Run the following command to upgrade the software.

  [opc@cpe ~]$ sudo dnf upgrade -y
  

  

• Make sure the upgrade is successfully completed.

  

• Run the following command to run the command where higher privileges are required.

  [opc@cpe ~] sudo su
  

  

  1. Run the following command to install the Libreswan software.

     [root@cpe opc]# sudo yum install libreswan -y
     

  2. Note that the software is successfully installed.

  

• Edit the following file to enable IP forwarding.

  [root@cpe etc]# nano /etc/sysctl.conf
  

  

• Make sure the /etc/sysctl.conf file contains the following content.

  kernel.unknown_nmi_panic = 1
  net.ipv4.ip_forward = 1
  net.ipv4.conf.all.accept_redirects = 0
  net.ipv4.conf.all.send_redirects = 0
  net.ipv4.conf.default.send_redirects = 0
  net.ipv4.conf.ens3.send_redirects = 0
  net.ipv4.conf.default.accept_redirects = 0
  net.ipv4.conf.ens3.accept_redirects = 0
  

  

• Save the file using Ctrl + X and enter Y.

  1. Run the following command to verify the content of the file.

     [root@cpe opc]# more /etc/sysctl.conf
     

  2. Note the output will be the same as the content of the file.

  

• Run the following command to reload and apply the file to enable forwarding.

  [root@cpe etc]# sudo sysctl -p
  

  

  1. Run the following command to verify if IP forwarding is enabled.

     cat /proc/sys/net/ipv4/ip_forward
     

  2. Note that the returned value id is 1 this means that IP forwarding is enabled and 0 means that IP forwarding is disabled.

  

  1. Run the following command to change the directory where you need to configure the IPSec tunnels.

     [root@cpe opc]# cd /etc/ipsec.d/
     

  2. Create and edit the following file (tunnel1.conf) to configure the first IPSec tunnel in tunnel 1.

     [root@cpe ipsec.d]# nano /etc/ipsec.d/tunnel1.conf
     

  

• Make sure the /etc/ipsec.d/tunnel1.conf file contains the following content.

  conn tunnel1
      keyexchange=ike
      pfs=yes
      ikev2=no
      ike=aes256-sha2_256;modp1536
      phase2alg=aes256-sha1;modp1536
      left=10.222.10.70
      leftid=143.xxx.xxx.xxx
      right=193.xxx.xxx.xxx
      rightid= 193.xxx.xxx.xxx
      authby=secret
      leftsubnet=0.0.0.0/0
      rightsubnet=0.0.0.0/0
      auto=start
      mark=5/0xffffffff
      vti-interface=vti1
      vti-routing=no
      encapsulation=auto
      ikelifetime=28800s
  

  

• Save the file using Ctrl + X and enter Y.

• Create and edit the following file (tunnel2.conf) to configure the second IPSec tunnel in tunnel2.

  [root@cpe ipsec.d]# nano /etc/ipsec.d/tunnel2.conf
  

  

• Make sure the /etc/ipsec.d/tunnel2.conf file contains the following content.

  conn tunnel2
      keyexchange=ike
      pfs=yes
      ikev2=no
      ike=aes256-sha2_256;modp1536
      phase2alg=aes256-sha1;modp1536
      left=10.222.10.70
      leftid=143.xxx.xxx.xxx
      right=130.xxx.xxx.xxx
      rightid=130.xxx.xxx.xxx
      authby=secret
      leftsubnet=0.0.0.0/0
      rightsubnet=0.0.0.0/0
      auto=start
      mark=6/0xffffffff
      vti-interface=vti2
      vti-routing=no
      encapsulation=auto
      ikelifetime=28800s
  

  

• Save the file with Ctrl + X and enter Y.

  1. Run the following command to verify the content of the file for tunnel1.

     [root@cpe ipsec.d]# more /etc/ipsec.d/tunnel1.conf
     

  2. Note the output will be the same as the content of the file.

  3. Run the following command to verify the content of the file for tunnel2.

     [root@cpe ipsec.d]# more /etc/ipsec.d/tunnel2.conf
     

  4. Note that the output will be the same as the content of the file.

  

• We have configured the IPSec tunnels, now we also need to configure the shared secrets as we are using a secret key for authentication.

  When we created the OCI Site-to-Site VPN in Task 5, the tunnels were created and in this process, OCI also generated the shared secret keys per tunnel. To get and configure them in Libreswan to match the same shared secret, we need to go back to the OCI Console.

  1. Go to the OCI Console, navigate to Networking, Customer Connectivity, Site-to-Site VPN and click the configured VPN.
  2. Click the first tunnel configuration.

  

• To get the shared secret, click show.

  

  1. Copy the shared secret for tunnel 1 and save it on a notepad to access it later.
  2. Click Close.

  

  1. Go to the OCI Console, navigate to Networking, Customer Connectivity, Site-to-Site VPN and click the configured VPN.
  2. Click the second tunnel configuration.

  

• To get the shared secret, click show.

  

  1. Copy the shared secret for tunnel 2 and save it on a notepad to access it later.
  2. Click Close.

  

• Configure the shared secrets on Libreswan. Create and edit the following file (shared.secrets) to configure the shared secrets for both tunnels.

  [root@cpe ipsec.d]# nano /etc/ipsec.d/shared.secrets
  

  

• Make sure the /etc/ipsec.d/shared.secrets file contains the following content.

  143.xxx.xxx.xxx 193.xxx.xxx.xxx : PSK "1blwzMdgQ5XXXoiQwF96tqc7c7"
  143.xxx.xxx.xxx 130.xxx.xxx.xxx : PSK "npLt23Ym6E1XXXhr5egvYSuzKC"
  

  

  1. Run the following command to verify the content of the file.
  2. Note that the output will be the same as the content of the file.

  [root@cpe ipsec.d]# more /etc/ipsec.d/shared.secrets
  

  

• Run the following command to start the IPSec service on Libreswan. This will not establish the tunnels yet.

  [root@cpe ipsec.d]# ipsec start
  

  

  1. Run the following command to verify the status of the IPSec connections.

     [root@cpe ipsec.d]# ipsec verify
     

  2. Note that the verification looks ok, without any errors.

  

Task 8: Open the Firewall on the CPE Instance in the Source OCI Region and Configure the VCN and Subnet Security Lists

Configure the VCN and subnet security lists to allow the ingress ports required for the IPSec connection. To allow the tunnels to be established correctly, you need to make sure the network security on both sides is allowing the ports that are required.

• Start with the source OCI region that hosts Libreswan as a CPE.

  1. Go to the OCI Console, navigate to Networking, Virtual cloud networks, select the VCN and click Security Lists.
  2. Select the Default Security List.
  3. Scroll down.

  

• Make sure you have added the following ingress security rules.

  Source	IP Protocol	Source Port	Destination Port
  0.0.0.0/0	UDP	All	500
  0.0.0.0/0	UDP	All	4500

  

• Open the firewall ports on the Libreswan CPE.

  1. Run the following command to review the existing configured firewall rules.

     [root@cpe ipsec.d]# sudo firewall-cmd --list-all
     

  2. Note that there are no rules configured related to the IPSec ports.

  3. Run the following command to allow UDP port 500 on the CPE.

     [root@cpe ipsec.d]# sudo firewall-cmd --add-port=500/udp
     

  4. Run the following command to allow UDP port 4500 on the CPE.

     [root@cpe ipsec.d]# sudo firewall-cmd --add-port=4500/udp
     

  5. Run the following command to make the firewall rules permanent so they will remain after a reboot.

     [root@cpe ipsec.d]# sudo firewall-cmd --runtime-to-permanent
     

  6. Run the following command to review the existing configured firewall rules.

     [root@cpe ipsec.d]# sudo firewall-cmd --list-all
     

  7. Note that there are no rules configured related to the IPSec ports.

  

  1. Run the following command to make sure the firewall service for Libreswan is running.

     [root@cpe ipsec.d]# systemctl status firewalld
     

  2. Note that the firewall service is active and running.

  

• Run the following command to restart the IPSec service.

  [root@cpe ipsec.d]# service ipsec restart
  

  

Disable the Linux Firewall on the CPE

In some cases (for testing purposes) it might be better to completely disable the Linux Firewall of the CPE Instance where Libreswan is running on. This can be done with the following command:

[root@cpe ipsec.d]# systemctl disable --now firewalld

Run the following command to make sure the firewall service for Libreswan is NOT running.

[root@cpe ipsec.d]# systemctl status firewalld

Task 9: Activate and Verify if the IPSec Tunnel is up on Both Sides

• Run the following command to verify the IPSec status for both tunnels.

  [root@cpe ipsec.d]# ipsec status
  

  

  1. Note the configuration and status for the first IPSec tunnel.
  2. Note the configuration and status for the second IPSec tunnel.
  3. Note the number of IPSec loaded is 2, and the active number is 0.

  

• Run the following command to add tunnel1.

  [root@cpe ipsec.d]# ipsec auto --add tunnel1
  

• Note the output given by the terminal when tunnel1 is added.

  002 "tunnel1": terminating SAs using this connection
  002 "tunnel1" #3: deleting state (STATE_QUICK_I2) aged 3.504567s and sending notification
  005 "tunnel1" #3: ESP traffic information: in=0B out=0B
  002 "tunnel1" #1: deleting state (STATE_MAIN_I4) aged 3.541172s and sending notification
  002 "tunnel1": added IKEv1 connection
  

• Run the following command to bring tunnel1 up.

  [root@cpe ipsec.d]# ipsec auto --up tunnel1
  

• Note the output given by the terminal when tunnel1 is brought up.

  002 "tunnel1" #5: initiating IKEv1 Main Mode connection
  102 "tunnel1" #5: sent Main Mode request
  104 "tunnel1" #5: sent Main Mode I2
  106 "tunnel1" #5: sent Main Mode I3
  002 "tunnel1" #5: Peer ID is ID_IPV4_ADDR: '193.122.0.91'
  004 "tunnel1" #5: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
  002 "tunnel1" #6: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES {using isakmp#5 msgid:b6364de1 proposal=AES_CBC_256-HMAC_SHA1_96-MODP1536 pfsgroup=MODP1536}
  115 "tunnel1" #6: sent Quick Mode request
  002 "tunnel1" #6: up-client output: vti interface "vti1" already exists with conflicting setting (perhaps need vti-sharing=yes ?
  002 "tunnel1" #6: prepare-client output: vti interface "vti1" already exists with conflicting setting (perhaps need vti-sharing=yes ?
  004 "tunnel1" #6: IPsec SA established tunnel mode {ESPinUDP=>0x5036cdcc <0x33c964f9 xfrm=AES_CBC_256-HMAC_SHA1_96 NATD=193.122.0.91:4500 DPD=passive}
  

• Run the following command to add tunnel2.

  [root@cpe ipsec.d]# ipsec auto --add tunnel2
  

• Note the output given by the terminal when tunnel2 is added.

  002 "tunnel2": terminating SAs using this connection
  002 "tunnel2" #4: deleting state (STATE_QUICK_I2) aged 25.694856s and sending notification
  005 "tunnel2" #4: ESP traffic information: in=0B out=0B
  002 "tunnel2" #2: deleting state (STATE_MAIN_I4) aged 25.731704s and sending notification
  002 "tunnel2": added IKEv1 connection
  

• Run the following command to bring tunnel2 up.

  [root@cpe ipsec.d]# ipsec auto --up tunnel2
  

• Note the output given by the terminal when tunnel2 is brought up.

  002 "tunnel2" #7: initiating IKEv1 Main Mode connection
  102 "tunnel2" #7: sent Main Mode request
  104 "tunnel2" #7: sent Main Mode I2
  106 "tunnel2" #7: sent Main Mode I3
  002 "tunnel2" #7: Peer ID is ID_IPV4_ADDR: '130.61.66.255'
  004 "tunnel2" #7: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP1536}
  002 "tunnel2" #8: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES {using isakmp#7 msgid:aeb4eb18 proposal=AES_CBC_256-HMAC_SHA1_96-MODP1536 pfsgroup=MODP1536}
  115 "tunnel2" #8: sent Quick Mode request
  002 "tunnel2" #8: up-client output: vti interface "vti2" already exists with conflicting setting (perhaps need vti-sharing=yes ?
  002 "tunnel2" #8: prepare-client output: vti interface "vti2" already exists with conflicting setting (perhaps need vti-sharing=yes ?
  004 "tunnel2" #8: IPsec SA established tunnel mode {ESPinUDP=>0x8bef7076 <0xe27d84a0 xfrm=AES_CBC_256-HMAC_SHA1_96 NATD=130.61.66.255:4500 DPD=passive}
  [root@cpe ipsec.d]#
  

• Run the following command to verify the IPSec status for both tunnels.

  [root@cpe ipsec.d]# ipsec status
  

• Note that the active tunnels have gone from 0 to 2.

  

• Go to the destination side on the OCI Console and check.

  1. Go to the OCI Console, navigate to Networking, Customer Connectivity and Site-to-Site VPN.
  2. Click the VPN connection.

  

• Note that Tunnel 1 and Tunnel 2 are both Available and Up.

  

• The following image illustrates what we have created so far.

  

Task 10: Configure the Static Routing

• The tunnels are up, now we need to make sure the required traffic is routed through the tunnel.

  1. Run the following command to review the configured tunnel interfaces.

     [root@cpe ipsec.d]# ifconfig
     

  2. Note that vti1 is responsible for tunnel 1.

  3. Note that vti2 is responsible for tunnel 2.

  

• Run the following command to route 172.16.0.0/16 network through the vti1 and vti2 interfaces.

  [root@cpe ipsec.d]# ip route add 172.16.0.0/16 nexthop dev vti1 weight 1 nexthop dev vti2 weight 1
  

  

  1. Run the following command to review if the route is added.

     [root@cpe ipsec.d]# ip route
     

  2. Note that the routes are added.

  

Task 11: Initiate Final Ping from the Source and Destination Instances

• Initiate the final ping from source.

  1. Run the following command from the source (CPE) to verify if the ping is working from the source OCI region to the destination OCI region.

     [root@cpe ipsec.d]# ping 172.16.1.93 -c 4
     

  2. Note that we have 0% packet loss.

  

• The following image illustrates what we have created so far.

  

• Initiate the final ping from destination.

  1. Run the following command from the destination to verify if the ping is working from the destination OCI region to the source OCI region (CPE).

     [opc@ih-instance-vcn-a ~]$ ping 10.222.10.70 -c 4
     

  2. Note that we have 0% packet loss.

  

• The following image illustrates what we have created so far.

  

  If you want to route all the traffic from the other instances in the same subnet on the source OCI region through the tunnels, you need to add a static route on the VCN route table. This route routes all traffic destined for 172.16.0.0/24 to the CPE 10.222.10.70.

• The following image illustrates what we have created so far with the full route table.

  

• Before you can add a route towards a private IP address (Libreswan CPE) you first need to enable the Skip Source/Destination check on the instance (Libreswan CPE) vNIC.

  1. Navigate to Compute and Instances.
  2. Select CPE.
  3. Scroll down.

  

  1. Click Attached VNICs.
  2. Click the three dots.
  3. Click Edit VNIC.

  

  1. Select Skip source/destination check.
  2. Click Save changes.

  

• Add the route.

  1. Go to Networking, Virtual cloud networks, select the VCN and click Route Tables.
  2. Select Default Route Table.
  3. Add a route rule for the Destination 172.16.0.0/16 with the Target Type to be a Private IP and the Target to be 10.222.10.70 (Libreswan CPE).

  

  1. Run the following command to verify the IP address of the CLIENT.

     [opc@client ~]$ ip a
     

  2. Note that the CLIENT’s IP address is 10.222.10.19.

  3. Run the following command from the source (CLIENT) to verify if the ping is working from the source OCI region to the destination OCI region.

     [opc@client ~]$ ping 172.16.1.93 -c 4
     

  4. Note that we have 0% packet loss.

  

• The following image illustrates what we have created so far.

  

  1. Run the following command from the destination to verify if the ping is working from the destination OCI region to the source OCI region (CLIENT).

     [opc@ih-instance-vcn-a ~]$ ping 10.222.10.19 -c 4
     

  2. Note that we have 0% packet loss.

  

• The following image illustrates what we have created so far.

  

Task 12: Verify the OCI Site-to-Site VPN Status

• The VPN tunnels are up and traffic is flowing through then we can look at the dashboards in OCI on a per-tunnel basis.

  1. Go to the OCI Console, Networking, Customer Connectivity and click Site-to-Site VPN.
  2. Click the VPN connection.

  

• Click the first tunnel configuration.

  

• Scroll down.

  

  1. Note that the IPSec tunnel state graph is constantly on 1, indicating the tunnel is up.
  2. Scroll down.

  

  1. Note that the packets received on this tunnel is 4, which corresponds with the number of ping packets sent from the source.
  2. Note that the packets sent on this tunnel is 4, which corresponds with the number of ping packets sent from the destination.
  3. Note the number of bytes received from the source.
  4. Note the number of bytes sent from the destination.

  

Task 13: Enable Equal Cost Multi-Path (ECMP) Routing

• By default, the traffic is always sent using one tunnel interface (vti). If we want to use both tunnels for traffic forwarding we need to enable the ECMP routing on both sides.

  On the Libreswan CPE, run the following command.

  [root@cpe ipsec.d]# sysctl -w net.ipv4.fib_multipath_hash_policy=1
  

• The following image illustrates what we have created so far.

  

• From the destination OCI region, go to the OCI Console, navigate to Networking, Customer Connectivity, Dynamic routing gateway, select the DRG, DRG route table details and select the DRG route table that is responsible for the routing.

• Click Get all route rules.

  

  1. Note that there are two routes available for the 10.222.10.0/24 network.
  2. Note that one route rule for the 10.222.10.0/24 is marked as Conflict and the other marked as Active.
  3. Click Close.

  

• Click Edit.

  

  1. Select Enable ECMP.
  2. Click Save changes.

  

• Click Get all route rules.

  

• Note that both route rules for the 10.222.10.0/24 are now marked as Active.

  

• The following image illustrates what we have created so far.

  

Related Links

• Creating an IPSec connection to OCI using Libreswan as a CPE

• Use Oracle Cloud Infrastructure Site-to-Site VPN service in HA mode with ECMP routing from Linux and Libreswan

Acknowledgments

• Author - Iwan Hoogendoorn (OCI Network Specialist)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Set up an Oracle Cloud Infrastructure Site-to-Site VPN with Static Routing Between two OCI Regions

G14487-02

Copyright ©2025, Oracle and/or its affiliates.