Working with Site-to-Site VPN
This topic contains some details about working with Site-to-Site VPN and the related components. Also see these topics:
Migrating to Policy-Based VPN
Oracle Cloud Infrastructure's Site-to-Site VPN v2 service fully supports policy-based IPsec VPNs with up to 50 encryption domains per tunnel.
To prevent potential traffic disruptions, if you have been migrated from theSite-to-Site VPN v1 service to Site-to-Site VPN v2, and have configured your CPE with multiple encryption domains, modify your tunnel configurations on the OCI side of the connection to match your CPE configuration. This article explains why this modification is so important, and the required steps to configure OCI to use policy-based IPsec VPNs.
Why you should migrate to the Policy-Based VPN feature
The Site-to-Site VPN v1 service is always configured as a route-based VPN and uses an any/any encryption domain for both BGP and static routing types. For policy-based VPN interoperability, Site-to-Site VPN v1 supports a CPE configured for policy-based VPNs if the CPE acts as the initiator, and only a single encryption domain is sent to OCI. Configuring multiple encryption domains in this scenario will result in instability of the tunnel where you may observe the tunnel flapping or that the traffic traversing the tunnel has unsteady reachability.
With the Site-to-Site VPN v2 service, there is now a policy-based routing type option in addition to the previously available BGP and static routing types. Site-to-Site VPN v2's BGP and static routing types will remain route-based and support a single any/any encryption domain. These options work with a single encryption domain policy-based CPE configuration, however this is not recommended and sending more than one encryption domain will result in tunnel instability.
The policy-based routing type available for Site-to-Site VPN v2 is a fully featured policy-based VPN, allowing you to configure the OCI side to fully match your CPE's policy-based configuration and accept all the individual security associations (SAs) required for a stable IPSec VPN tunnel.
For more information on encryption domains and the different IPsec VPN tunnel types, see Supported Encryption Domain or Proxy ID.
After your tunnels have been migrated from Site-to-Site VPN v1 to v2, they will continue using the same routing type (BGP or static) as configured prior to migration. This section will detail the step-by-step process for modifying your existing route-based tunnels to use policy-based routing.
Viewing Tunnel Status and Configuration
When you successfully create the IPSec connection, Oracle produces important configuration information for each of the resulting IPSec tunnels. For an example, see task 2h in the overall setup process. You can view that information and the status of the tunnels at any time. This includes the BGP status if the tunnel is configured to use BGP dynamic routing.
- Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.
A list of the IPSec connections in the compartment that you're viewing is displayed. If you don't see the one you're looking for, verify that you're viewing the correct compartment (select from the list on the left side of the page).
-
Click the IPSec connection you're interested in.
Each tunnel's details are displayed, including the IPSec status, the BGP status (if the tunnel uses BGP dynamic routing), and the Oracle VPN IP address (the VPN headend).
- To view a tunnel's shared secret:
- Click the tunnel you're interested in.
- Next to the Shared Secret field, click Show.
- To view a tunnel's BGP advertised and received routes (including the AS PATH for
each route):
- Click the tunnel you're interested in.
- Under Resources, click either BGP Routes Received or BGP Routes Advertised.
Using the CPE Configuration Helper
After you set up Site-to-Site VPN, your network engineer must configure the customer-premises equipment (CPE) at your end of the connection. The configuration includes details about your Virtual Cloud Network (VCN) and the IPSec tunnels in the Site-to-Site VPN. The CPE Configuration Helper generates the information for your network engineer. For more information, see Using the CPE Configuration Helper.
Changing the Static Routes
You can change the static routes for an existing IPSec connection. You can provide up to 10 static routes.
Remember that an IPSec connection can use either static routing or BGP dynamic routing. You associate the static routes with the overall IPSec connection and not the individual tunnels. If an IPSec connection has static routes associated with it, Oracle uses them for routing a tunnel's traffic only if the tunnel itself is configured to use static routing. If it's configured to use BGP dynamic routing, the IPSec connection's static routes are ignored.
The IPSec connection goes down while it is reprovisioned with your static route changes.
- Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.
A list of the IPSec connections in the compartment that you're viewing is displayed. If you don't see the one you're looking for, verify that you're viewing the correct compartment (select from the list on the left side of the page).
-
For the IPSec connection you're interested in, click the
, and then click Edit.The current static routes are displayed.
- Make your changes and click Save Changes.
Changing the CPE IKE Identifier That Oracle Uses
If your CPE is behind a NAT device, you might need to give Oracle your CPE IKE identifier. You can either specify it when you create the IPSec connection, or later edit the IPSec connection and change the value. Oracle expects the value to be an IP address or fully qualified domain name (FQDN). When you specify the value, you also specify which type it is.
The IPSec connection goes down while it is reprovisioned to use your CPE IKE identifier.
- Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.
A list of the IPSec connections in the compartment that you're viewing is displayed. If you don't see the one you're looking for, verify that you're viewing the correct compartment (select from the list on the left side of the page).
-
For the IPSec connection you're interested in, click the
, and then click Edit.The current CPE IKE identifier that Oracle is using is displayed at the bottom of the dialog.
- Enter your new values for CPE IKE Identifier Type and CPE IKE Identifier, and then click Save Changes.
Using IKEv2
Oracle supports Internet Key Exchange (IKE) version 1 and version 2 (IKEv2).
If you want to use IKEv2 and your CPE supports it, you must:
- Configure each IPSec tunnel to use IKEv2 in the Oracle Console. See the following procedures.
- Configure your CPE to use IKEv2 encryption parameters that the CPE supports. For a list of parameters that Oracle supports, see Supported IPSec Parameters.
If you create a new IPSec connection manually, you can specify IKEv2 when you create the IPSec connection in the Oracle Console. See the procedure that immediately follows.
If you instead use the VPN quickstart workflow, the IPSec connection is configured to use IKEv1 only. However, after the workflow is complete, you can edit the resulting IPSec tunnels in the Oracle Console and change them to use IKEv2.
To manually set up a new IPSec connection that uses IKEv2:
- While creating the IPSec connection in the Oracle Console, in the Advanced Options section, click the Tunnel 1 tab.
- From the IKE Version menu, select IKEv2.
- Repeat the preceding step for the Tunnel 2 tab.
- Later when configuring your CPE, configure it to use only IKEv2 and related IKEv2 encryption parameters that the CPE supports.
Oracle recommends performing the following process for one tunnel at a time to avoid disruption in your overall connection. If your connection is not redundant (for example, does not have multiple tunnels), expect downtime while you upgrade to IKEv2.
- Change the tunnel's IKE version in the Oracle Console:
- Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.
- Click the IPSec connection you're interested in.
- Click the tunnel to view its details.
- Click Edit.
- From the IKE Version menu, select IKEv2.
- Click Save Changes.
- Update your CPE configuration for the tunnel to use IKEv2 and the related encryption parameters that the CPE supports. For a list of parameters that Oracle supports, see Supported IPSec Parameters.
- If the security associations did not rekey immediately, force a rekey for that tunnel on your CPE. In other words, clear the phase 1 and phase 2 security associations and do not wait for them to expire. Some CPE devices wait for the SAs to expire before rekeying. Forcing the rekey lets you confirm immediately that the IKE version configuration is correct.
- To verify, ensure that the security associations for the tunnel rekey correctly. If they don't, confirm that the correct IKE version is set in the Oracle Console and on your CPE, and that the CPE is using the desired parameters.
After you've confirmed the first tunnel is up and running again, repeat the preceding steps for the second tunnel.
Changing the Shared Secret That an IPSec Tunnel Uses
When you set up Site-to-Site VPN, by default Oracle provides each tunnel's shared secret (also called the pre-shared key). You might have a particular shared secret that you want to use instead. You can specify each tunnel's shared secret when you create the IPSec connection, or you can edit the tunnels and provide each new shared secret then. For the shared secret, only numbers, letters, and spaces are allowed. Oracle recommends using a different shared secret for each tunnel.
When you change a tunnel's shared secret, both the overall IPSec connection and the tunnel go into the Provisioning state while the tunnel is reprovisioned with the new shared secret. The other tunnel in the IPSec connection remains in the Available state. However, while the first tunnel is being reprovisioned, you cannot change the second tunnel's configuration.
Changing from Static Routing to BGP Dynamic Routing
If you want to change an existing Site-to-Site VPN from using static routing to using BGP dynamic routing, follow the process in this section.
When you change a tunnel's routing type, the tunnel's IPSec status does not change during reprovisioning. However, routing through the tunnel is affected. Traffic is temporarily disrupted until your network engineer configures your CPE device in accordance with the routing type change. If your existing Site-to-Site VPN is currently configured to use only a single tunnel, this process will disrupt your connection to Oracle. If your Site-to-Site VPN instead uses multiple tunnels, Oracle recommends reconfiguring one tunnel at a time to avoid disrupting your connection to Oracle.
Prerequisites:
- You've read this section: Routing for Site-to-Site VPN
-
You've gathered the necessary BGP routing information:
- Your network's ASN. Oracle's BGP ASN for the commercial cloud is 31898, except the Serbia Central (Jovanovac) region which is 14544. For the Government Cloud, see Oracle's BGP ASN.
- For each tunnel: The BGP IP address for each end of the tunnel (the two addresses for a given tunnel must be a pair from a /30 or /31 subnet, and they must be part of Site-to-Site VPN's encryption domain)
Repeat the following process for each tunnel in the IPSec connection:
-
Reconfigure the tunnel's routing type from static routing to BGP dynamic routing:
- Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.
-
Click the IPSec connection you're interested in.
The tunnels are listed, and the status for each tunnel is shown. The BGP Status for the tunnel you're interested in should show only a hyphen (no value), which means that the tunnel is currently configured to use static routing.
- Click the tunnel to view all of its details.
- Click Edit.
-
Do the following:
- Routing Type: Select the radio button for BGP Dynamic Routing.
- BGP ASN: Enter your network's BGP ASN.
- Inside Tunnel Interface - CPE: Enter the BGP IP address with subnet mask (either /30 or /31) for the CPE end of the tunnel. For example: 10.0.0.16/31.
- Inside Tunnel Interface - Oracle: Enter the BGP IP address with subnet mask (either /30 or /31) for the Oracle end of the tunnel. For example: 10.0.0.17/31.
- Click Save Changes.
The tunnel's BGP Status changes to Down.
- Have your network engineer update your CPE device's tunnel configuration to use BGP.
- On your side of the connection, confirm that the tunnel's BGP session is in an established state. If it is not, make sure you've configured the correct IP addresses for the tunnel in the Oracle Console and also for your CPE device.
- In the Oracle Console, confirm that the tunnel's BGP Status is now Up.
- Confirm that your CPE device is learning routes from Oracle, and your CPE device is advertising routes to Oracle. If you want to re-advertise the Oracle routes from BGP back to your on-premises network, make sure your CPE device is configured accordingly. Your existing policy to advertise the static routes to your on-premises network may not work for the BGP learned routes.
- Ping the Oracle BGP IP address from your side of the connection to confirm that traffic is flowing.
After you've confirmed the first tunnel is up and running with BGP, repeat the process for the second tunnel.
As noted in Routing for Site-to-Site VPN, the static routes that are still configured for the overall IPSec connection do NOT override the BGP routing. Those static routes are ignored when Oracle routes traffic through a tunnel that is configured to use BGP.
Also, you can change a tunnel's routing type back to static routing if necessary. You might do this if the scheduled downtime window for the CPE device is ending soon and you're having trouble establishing the BGP session. When you switch back to static routing, make sure the overall IPSec connection still has your desired static routes configured.
Monitoring Your Site-to-Site VPN
You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring and Notifications.
For information about monitoring your connection, see Site-to-Site VPN Metrics.
Viewing Your Site-to-Site VPN Log Messages
You can view the log messages generated for various operational aspects of Site-to-Site VPN such as the negotations that occur in bringing an IPSec tunnel UP. Enabling and accessing the Site-to-Site VPN log messages can be done via Site-to-Site VPN or the Logging Service.
- For an overview of the Logging service in general, refer to Logging Overview.
- For details on enabling and accessing the Site-to-Site VPN log messages via the Logging service, refer to Service Logs.
-
For details on the Site-to-Site VPN log message schema, refer to Details for Site-to-Site VPN.
- Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.
-
A list of the IPSec connections in the compartment that you're viewing is displayed. If you don't see the one you're looking for, verify that you're viewing the correct compartment (select from the list on the left side of the page).
-
For the IPSec connection you're interested in, click the name of the connection.
The details page for the connection is displayed.
- On the left side of the screen under Resources, click on Logs.
If you do not see this option, the connection has the older Site-to-Site VPN v1 type. Message logging requires Site-to-Site VPN v2.
- On the Logs details page, set the Enable Log field to Enabled. A new screen appears.
Details for the options on the screen are at Enabling Logging for a Resource. Logs are handled the same regardless of the resource type generating the log.
- Click Enable Log.
The Log detail page is displayed, and the log will be in the process of being created (a "Creating log" message is displayed).
You must already have logging enabled to view the message log. To view the message log:
- Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.
-
A list of the IPSec connections in the compartment that you're viewing is displayed. If you don't see the one you're looking for, verify that you're viewing the correct compartment (select from the list on the left side of the page).
- On the left side of the screen under Resources, click on Logs.
If you do not see this option, the connection has the older Site-to-Site VPN v1 type. Message logging requires Site-to-Site VPN v2.
- Click on the Log Name of the log you are interested in. This will open a new browser tab showing the requested log.
See Getting a Log's Details for details on using the log display screen.
Disabling or Terminating Site-to-Site VPN
If you want to disable Site-to-Site VPN between your on-premises network and VCN, you can simply detach the DRG from the VCN instead of deleting the IPSec connection. If you're also using the DRG with FastConnect, detaching the DRG would also interrupt the flow of traffic over FastConnect.
You can delete the IPSec connection. However, if you later want to re-establish it, your network engineer would have to configure your CPE device again with a new set of tunnel configuration information from Oracle.
If you want to permanently delete Site-to-Site VPN, you must first terminate the IPSec connection. Then you can delete the CPE object. If you're not using the DRG for another connection to your on-premises network, you can detach it from the VCN and then delete it.
- Open the navigation menu and click Networking. Under Customer connectivity, click Site-to-Site VPN.
A list of the IPSec connections in the compartment you're viewing is displayed. If you don't see the one you're looking for, verify that you're viewing the correct compartment (select from the list on the left side of the page).
- Click the IPSec connection you're interested in.
- Click Terminate.
- Confirm the deletion when prompted.
The IPSec connection will be in the Terminating state for a short period while it's being deleted.
Prerequisite: There must not be an IPSec connection between the CPE object and a DRG.
- Open the navigation menu and click Networking. Under Customer connectivity, click Customer-premises equipment.
A list of the CPE objects in the compartment you're viewing is displayed. If you don't see the one you're looking for, verify that you're viewing the correct compartment (select from the list on the left side of the page).
- For the CPE object that you want to delete, click the , and then click Delete.
- Confirm the deletion when prompted.
The object will be in the Terminating state for a short period while it's being deleted.
Managing Tags for an IPSec Connection or CPE Object
Apply tags to your resources to help organize them according to your business needs. Apply tags at the time you create a resource, or update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.
Moving an IPSec Connection or CPE Object to a Different Compartment
You can move your resources from one compartment to another. After you move the resource to the new compartment, inherent policies apply immediately and affect access to the resource through the Console. Moving the CPE object to a different compartment does not affect the connection between your data center and Oracle Cloud Infrastructure. For more information, see Working with Compartments.
- Open the navigation menu and click Networking. Under Customer connectivity, click Customer-premises equipment.
- Find the CPE object in the list, click the the , and then click Move Resource.
- Choose the destination compartment from the list.
- Click Move Resource.
Managing Your DRG
For tasks related to DRGs, see Dynamic Routing Gateways.
Using the API for Site-to-Site VPN
These are the Networking service API operations for managing Site-to-Site VPN components.
For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.
To manage your VCN and subnets, use these operations:
- ListVcns
- CreateVcn
- GetVcn
- UpdateVcn
- DeleteVcn
- ChangeVcnCompartment
- ListSubnets
- CreateSubnet
- GetSubnet
- UpdateSubnet
- DeleteSubnet
- ChangeSubnetCompartment
To manage your DRG, use these operations:
- ListDrgs
- CreateDrg
- GetDrg
- UpdateDrg
- DeleteDrg
- ListDrgAttachments
- CreateDrgAttachment: This operation attaches a DRG to a VCN and results in a
DrgAttachment
object with its own OCID. - GetDrgAttachment
- UpdateDrgAttachment
- DeleteDrgAttachment: This operation detaches a DRG from a VCN by deleting the
DrgAttachment
object.
To manage routing for your VCN, use these operations:
To manage security lists for your VCN, use these operations:
To manage your CPEs, use these operations:
To manage your IPSec connections, use these operations:
- ListIPSecConnections
- CreateIPSecConnection: Use this operation to set the configuration information for each tunnel, including the IP address of the DRG (the VPN headend) and the shared secret. See CPE Configuration. Creating a tunnel has added flexibility if you use CreateIPSecConnectionTunnelDetails.
- GetIPSecConnection
- UpdateIPSecConnection : Updating a tunnel has added flexibility if you use UpdateIPSecConnectionTunnelDetails.
- DeleteIPSecConnection
- ChangeIPSecConnectionCompartment
- GetIPSecConnectionDeviceStatus: Use this operation to determine the status of the IPSec tunnels (up or down).
- GetIPSecConnectionDeviceConfig: Use this operation to get the configuration information for each tunnel.