!------------------------------------------------------------------------------------------------------------------------------------------------------------- ! IKEv1 Configuration Template ! The configuration consists of two IPSec tunnels. Oracle highly recommends that you configure both tunnels for maximum redundancy. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template involves setting up the following: ! Keyring (Pre-Shared Key) ! Basic ISAKMP Options ! ISAKMP and IPSec Policy Configuration ! IPSec Peers ! Virtual Tunnel Interfaces ! IP Routing (BGP or Static) ! Update Any Internet Facing Access List to Allow IPSec and ISAKMP Packets !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! The configuration template has various parameters that you must define before applying the configuration. !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! PARAMETERS REFERENCED: ! ${OracleInsideTunnelIpAddress1} = Inside tunnel IP address of Oracle-side for the first tunnel. You provide these values when creating the IPSec connection in the Oracle Console. ! ${OracleInsideTunnelIpAddress2} = Inside tunnel IP address of Oracle-side for the second tunnel. You provide these values when creating the IPSec connection in the Oracle Console. ! ${bgpASN} = Your BGP ASN ! ${cpePublicIpAddress} = The public IP address for the CPE. This is the IP address of your outside interface ! ${oracleHeadend1} = Oracle public IP endpoint obtained from the Oracle Console. ! ${oracleHeadend2} = Oracle public IP endpoint obtained from the Oracle Console. ! ${sharedSecret1} = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. ! ${sharedSecret2} = You provide when you set up the IPSec connection in the Oracle Console, or you can use the default Oracle-provided value. ! ${outsideInterface} = The public interface or outside of tunnel interface which is configured with the CPE public IP address. ! ${vcnCidrNetwork} = VCN IP range ! ${vcnCidrNetmask} = Subnet mask for VCN ! ${onPremCidrNetwork} = On-premises IP range ! ${onPremCidrNetmask} = ON-premises subnet mask !------------------------------------------------------------------------------------------------------------------------------------------------------------- ! Keyring (Pre-Shared Key) ! For authentication during IKE a separate keyring is defined for each Oracle VPN Headend peer. ! Add the pre-shared key for each Oracle VPN headend under the corresponding keyring. crypto keyring oracle-vpn-${oracleHeadend1} local-address ${cpePublicIpAddress} pre-shared-key address ${oracleHeadend1} key ${sharedSecret1} crypto keyring oracle-vpn-${oracleHeadend2} local-address ${cpePublicIpAddress} pre-shared-key address ${oracleHeadend2} key ${sharedSecret2} ! Basic ISAKMP Options ! Optional IPSec settings are included here. ! All optional settings included are recommended by Oracle. Remove or comment out any unneeded commands prior to applying this configuration. ! WARNING: These settings are global and may impact other IPSec connections ! Enables fragmentation of IKE packets prior to encryption. crypto isakmp fragmentation ! Enables Dead Peer Detection (DPD) crypto isakmp keepalive 10 10 ! The Router will clear the DF-bit in the IP header. Allows the packet to be fragmented and sen to the end host in Oracle Cloud Infrastructure for reassembly. crypto ipsec df-bit clear ! Increases security association anti-replay window. An increased window size is helpful for scenarios where packets are regularly being dropped due to delays. crypto ipsec security-association replay window-size 128 ! ISAKMP and IPSec Policy Configuration ! An ISAKMP policy is created for Phase 1 which specifies to use a Pre-Shared Key, AES256, SHA384, Diffie-Hellman Group 5, and a Phase 1 lifetime of 28800 seconds (8 hours). ! If different parameters are required, modify this template before applying the configuration. ! WARNING: The ISAKMP group policy is created with a priority of 10. Make sure this doesn't conflict with any pre-existing configuration before applying. crypto isakmp policy 10 encr aes 256 hash sha384 authentication pre-share group 5 lifetime 28800 ! Create an IPSec transform set named 'oracle-vpn-transform' which defines a combination of IPSec (Phase 2) policy options. Specifically, AES256 for encryption and SHA1 for authentication. This is also where tunnel mode is set for IPSec. ! If different parameters are required, modify this template before applying the configuration. crypto ipsec transform-set oracle-vpn-transform esp-aes 256 esp-sha-hmac mode tunnel ! A IPSec profile named 'oracle-vpn' is created. ! The previously created transform set is added to this policy along with settings for enabling PFS Group 5 and the security association lifetime to 3600 seconds (1 hour). ! If different parameters are required, modify this template before applying the configuration. crypto ipsec profile oracle-vpn set pfs group5 set security-association lifetime seconds 3600 set transform-set oracle-vpn-transform ! IPSec Peers ! Two ISAKMP profiles are created for each Oracle VPN Headend. ! An ISAKMP profile is used as a repository for various Phase 1 commands tied to a specific IPSec peer. In this case, we match the previously created keyrings to an Oracle VPN headend. crypto isakmp profile oracle-vpn-${oracleHeadend1} keyring oracle-vpn-${oracleHeadend1} self-identity address match identity address ${oracleHeadend1} 255.255.255.255 crypto isakmp profile oracle-vpn-${oracleHeadend2} keyring oracle-vpn-${oracleHeadend2} self-identity address match identity address ${oracleHeadend2} 255.255.255.255 ! Virtual Tunnel Interfaces ! Each tunnel interface is a logical interface representing the local end of a VPN tunnel to a remote VPN peer. Each tunnel interface represents a single tunnel to a different Oracle VPN Headend. The IP address of each VPN headend is provided when you create your IPSec connection in Oracle Console. ! All traffic routed to a tunnel interface will be encrypted and sent across the tunnel towards Oracle Cloud Infrastructure. ! Each tunnel interface configuration also references the previously created IPSec profile 'oracle-vpn' for its IPSec parameters. ! WARNING: When doing static routing you do NOT have to set IPs on the tunnel interfaces unless you have pre-configured inside tunnel interfaces in Oracle Console when creating your IPSec connection. Inside tunnel interfaces are required if using BGP. interface Tunnel${tunnelNumber1} ip address ${cpeInsideTunnelIpAddress1} ${cpeInsideTunnelNetmask1} tunnel source ${cpePublicIpAddress} tunnel mode ipsec ipv4 tunnel destination ${oracleHeadend1} tunnel protection ipsec profile oracle-vpn interface Tunnel${tunnelNumber2} ip address ${cpeInsideTunnelIpAddress2} ${cpeInsideTunnelNetmask2} tunnel source ${cpePublicIpAddress} tunnel mode ipsec ipv4 tunnel destination ${oracleHeadend2} tunnel protection ipsec profile oracle-vpn ! IP Routing ! Pick either dynamic (BGP) or static routing. Uncomment the corresponding commands prior to applying configuration. ! Border Gateway Protocol (BGP) Configuration ! Uncomment below lines if you want to use BGP. ! router bgp ${bgpASN} ! neighbor ${OracleInsideTunnelIpAddress1} remote-as 31898 ! neighbor ${OracleInsideTunnelIpAddress2} remote-as 31898 ! network ${onPremCidrNetwork} mask ${onPremCidrNetmask} ! Static Route Configuration ! Uncomment below lines if you want to use static routing. ! ip route ${vcnCidrNetwork} ${vcnCidrNetmask} Tunnel${tunnelNumber1} ! ip route ${vcnCidrNetwork} ${vcnCidrNetmask} Tunnel${tunnelNumber2} ! Update Any Internet Facing Access List to Allow IPSec and ISAKMP Packets ! You may need to allow IPSec and ISAKMP packets out your internet facing interface. ! Uncomment below lines to create a new ACL allowing IPSec and ISAKMP traffic and apply it to the outside interface. ! ip access-list extended INTERNET-INGRESS ! permit udp host ${oracleHeadend1} host ${cpePublicIpAddress} eq isakmp ! permit esp host ${oracleHeadend1} host ${cpePublicIpAddress} ! permit udp host ${oracleHeadend2} host ${cpePublicIpAddress} eq isakmp ! permit esp host ${oracleHeadend2} host ${cpePublicIpAddress} ! permit icmp any any echo ! permit icmp any any echo-reply ! permit icmp any any unreachable ! interface ${outsideInterface} ! ip address ${cpePublicIpAddress} $(netmask} ! ip access-group INTERNET-INGRESS in