Connect On Premise Networks to Oracle Cloud over IPSec

In this guide I have included some steps which will allow end user to perform below operations:

  • Create a IPSec VPN between Customer CPE and Oracle Cloud using Static Routes
  • Update IPsec static route to BGP Dynamic Routing

Setup Customer Premises Equipment on AWS Cloud

  1. Create a VPC with correct Subnet:
  • Select desired AWS Region: US West 2 (For Example)
  • Creating a VPC with CIDR (Example: 172.31.0.0/16)
  • Create an Internet Gateway to support internet routes from this VPC
  • Attach Internet Gateway to VPC
  • Make Sure Route Table has default route to Internet through Internet Gateway

2. Create a CPE VM on AWS

  • Choose CentOS Image
  • Create VM in mentioned region and select correct key-pair to access it afterwards (t2.medium)
  • Make sure you can ping the VM or SSH if not select correct security groups with correct firewall configuration
  • Install libreswan package on your CPE VM
  • Make sure you Source/Destination Check is disabled if not already
  • Connect to CPE VM and Update file(/etc/sysctl.conf) with following content and apply update using (sudo sysctl -p) command:

3. On your AWS VPC Network update route table entries to reflect pointing to Oracle VCN network (172.0.0.0/16):

4. Update Security Rules for Security Group Policy (Source IP could be IPSec Endpoint) used for CPE VM to include IPSec tcp and udp ports:

  • Update Security Group Policies on AWS to Support IPSec Config

5. Update Network Policy to Reflect correct tcp and UDP ports of IPsec (In my case allow all should be okay):

Setup IPSec Required Config on Oracle Cloud

In this section we will include necessary steps to support Oracle Cloud configuration to support IPSec.

You need to select your region to support below configuration:

  1. Setup Dynamic Routing Gateway (DRG) and Customer Premises Equipment:
  • Create DRG on Oracle Cloud
  • Create CPE libreswan instance on Oracle Cloud
  • Create Virtual Cloud Network (VCN) with required subnet
  • Attach VCN to DRG

2. Setup IPSec on Oracle Cloud

  • Create IPSec Connection from DRG (Using Static Routing)
  • Confirm IPSec Connection Configuration health

3. Update Ingress Rules and Routes to connect AWS VPC and CPE

  • Add Ingress rules on VCN NCLs
  • Add Route to Route Table

Configure CPE on AWS for IPSec

This section includes required configuration which you need to collect from Oracle Cloud IPSec Connections and then use it on AWS CPE for setting up IPSec connections between AWS CPE and Oracle Cloud:

Follow below steps accordingly:

  1. IPSec Configuration Parameters:
  • Collect required parameters to setup IPsec config on Liberswan VM:

2. Update values and add below content in (/etc/ipsec.d/oci-ipsec.conf) file of CPE VM which you created on AWS Cloud:

3. Add below secrets which you collected from Oracle Cloud IPSec Connection in this file (/etc/ipsec.d/oci-ipsec.secrets):

4. Restart ipsec service using below command:

5. Check IPsec interfaces came online using ip link show and you should see vti1 and vti2 interfaces there.

6. Create routes for Oracle Cloud VCN network using IPSec tunnel interfaces on CPE VM:

7. Verify IPSec status using ipsec status and you should see something like this below:

8. Verify IPSec connection status on Oracle Cloud:

9. Verify IPsec interfaces status on CPE VM:

Setup IPSec with Dynamic Routing (BGP) on Oracle Cloud

In this section we will update routing from static to dynamic and update our configuration on Oracle Cloud and CPE VM. We will use quagga package to create required BGP setup on CPE.

You need to follow below steps:

  1. Install required quagga package to support BGP configuration on CPE VM using below command:

2. Update vnet interfaces addresses used to setup IPSec configuration:

  • You will need to add one line from above in each IPSec tunnel configuration which you created here (/etc/ipsec.d/oci-ipsec.conf) on CPE VM.
  • Example:
  • If you plan to use different network/subnet for BGP routing you can update interfaces IPs accordingly.

3. Update zebra configuration (/etc/quagga/zebra.conf) on CPE VM with below content:

  • I am advertising my VPC subnet 172.31.16.0/20 but if your subnet is different you can update it accordingly:

4. Create BGP configuration to support dynamic routing over IPSec on CPE VM : (ebgp configuration)

  • Update this file (/etc/quagga/bgpd.conf) on CPE VM
  • Update hostname as you need
  • We are using EBGP and AS 64555 which you will need to use on Oracle Cloud IPSec Connection

5. Start services to support this use case and enable them using below command:

6. Restart IPSec on CPE VM using below command:

Update IPsec Connections on Oracle Cloud to Use BGP as Dynamic Routing

In this section we will update IPSec Connection Configuration on Oracle Cloud:

  1. Update IPSec Connection 1 Configuration as below:

2. Update IPSec Connection 2 Configuration as below:

  • You will have to wait until step 1 provisioning is compelete if you are using UI

Validation of IPSec BGP between Oracle Cloud and CPE

In this section we will validate IPSec over BGP health status:

  1. Validate BGP IPSec health status on Oracle Cloud IPSec Connection and it should look like as below:

2. Connect to CPE VM and see BGP routes summary

3. Add subnets on either side of BGP or VCN networks and you should see routes are populated dynamically.

Conclusion

This concludes our IPSec configuration using static and dynamic routing on Oracle Cloud.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store