connectivity ipsec vpn - cloud.oracle.com · • to create a cpe object –name, outside public ip...

1Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Connectivity – IPsec VPNLevel 200

Jamal Arif

November 2018

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3Copyright © 2018, Oracle and/or its affiliates. All rights reserved.

Objectives

After completing this lesson, you should be able to:

• Describe key IPSec VPN Connectivity Options

• Describe IPsec VPN and its concepts

• Describe IPsec VPN workflow

• Evaluate typical IPsec VPN Network scenarios

• AWS and OCI VPN Connectivity

• Pre-requisites: Connectivity – Level 100


Connectivity options

Public Internet

• Reserved IPs

• Ephemeral IPs

• Internet Data out Pricing

(first 10TB free)

IPsec VPN

• IPsec authentication and

encryption

• Two main options

• OCI managed VPN

Service (free)

• Software VPN (running

on OCI Compute)

FastConnect

• Private dedicated

Connection

• Consistent network

experience

• Port speeds of 1 Gbps, 10

Gbps

• SLA


Connectivity to on-premises network planning

Connecting your virtual cloud network (VCN) to your on-premises network requires certain

design considerations

• What kind of Bandwidth/throughput your application requires?

• Is your application Latency sensitive?

• Are you planning to provide Redundancy to your on-premises connectivity and avoid single

point of failure?

• Do you require a secure and private dedicated connection or a public connection over the

internet ?

• Do you see your services growing, and plan to dynamically scale up your application

bandwidth needs?


VPN Basics

• Tunnel – a way to deliver packets through the

internet to private RFC 1918 addresses

• Authentication – provides a mechanism to

authenticate who you are

• Encryption – packets need to be encrypted,

so they cannot be sniffed over the public

internet

• Static routing: configure a router to send

traffic for particular destinations in

preconfigured directions

• Dynamic routing: use a routing protocol such

as BGP to figure out what paths traffic should

take

VPN Connection

Private Network 1

Private Network 2

Tunnel

VPN

Router

Internet

VPN

Router

VPN – using a public network to make end to end connection between two private networks in a

secure fashion


IPsec VPN

• IPsec VPN is a managed VPN service which securely

connects on-premises network to OCI VCN through

an IPsec VPN connection

• IPsec VPN ensure secure remote connectivity

• Bandwidth is dependent on the customer’s access to the

Internet and general Internet congestion (Typically less

than 250 Mbps – but your mileage may vary)

• VPN Service is offered for free

• Customer Proof of Concepts usually start as a VPN and

then morph into FastConnect designs

• OCI provisions redundant VPN tunnels located on

physically and logically isolate tunnel endpointsCUSTOMER

DATA CENTER

ORACLE CLOUD DATA CENTER REGION

VCN, 10.0.0.0/16

AVAILABILITY DOMAIN-2

SUBNET B,

10.0.2.0/24

Custom Route

Table


OCI VPN Concepts

• Dynamic Routing Gateway - VPN headend at OCI end of the IPsec VPN

• Customer Premise Equipment (CPE)

• Actual VPN router in your on-premises network (hardware or software)

• When setting up the VPN, you create a virtual representation of your on-premises router, which is

known as CPE object

• To Create a CPE Object – Name, Outside Public IP address

• IPsec Connection

• After creating the CPE object and DRG, you connect them by creating an IPsec connection, which

results in multiple redundant IPsec tunnels

• While creating an IPsec connection, static routes are added

• The static routes can’t be modified after an IPsec connection has been created



Internet

OCI VPN - Workflow

On-Premises Network

10.0.0.0/16

CPE,

142.32.45.56

VCN, 172.16.0.0/16

Route Table

10.0.0.0/16 DRG

Static Route

0.0.0.0/0

Subnet A

172.16.0.0/24


OCI VPN – Example (POC Environment)

• Create a Virtual Cloud Network (VCN)

• Create a Dynamic Routing Gateway (DRG)

• Attach DRG to your VCN

• Update VCN Router to route traffic to DRG

• Create a CPE Object and add on-premises router

Public IP address

• From DRG, Create an IPsec Connection between

CPE and DRG and provide a Static Route

• Configure on-premises CPE Router


OCI VPN Configuration Examples

Single-Site


VCN, 172.16.0.0/16

Route Table

10.0.0.0/16 DRG

On-Premises Network

10.0.0.0/16 CPE

Static Routes

10.0.0.0/16

0.0.0.0/0

Subnet A

172.16.0.0/24


OCI VPN Configuration Examples

Multi-Site


VCN, 172.16.0.0/16

Route Table

10.0.0.0/16 DRG

10.10.0.0/16 DRG

10.20.0.0/16 DRG

10.30.0.0/16 DRG

On-Premises Network10.0.0.0/16

Chicago CPE

Static Routes

10.0.0.0/16


Los Angles


New York


Seattle

Static Routes

10.10.0.0/16

Static Routes

10.20.0.0/16

Static Routes

10.30.0.0/16

CPE

CPE

CPE


IPSec VPN – Multisite HA scenarios

• If your data centers span multiple geographical locations, we recommend using a broad CIDR (0.0.0.0/0) as

a static route in addition to the CIDR of the specific geographical location.

• This broad CIDR provides high availability and flexibility to your network design.

• Each IPSec VPN connection has two static routes: one for the CIDR of the particular geographical area,

and a broad 0.0.0.0/0 static route.



• If the CPE 1 router goes down, If Subnet 1 and Subnet 2 can communicate with each other, the

VCN is still able to access the systems in Subnet 1 because of the 0.0.0.0/0 static route that goes

to CPE 2



• If you add a new geographical area with Subnet 3 and connect it to Subnet 2. You would add a

route rule to your VCN’s route table for Subnet 3 so that the VCN can reach systems in Subnet 3

without creating a new VPN connection because of the 0.0.0.0/0 static route that goes to CPE 2


ORACLE CLOUD INFRASTRUCTURE (REGION)

Availability Domain 3



Subnet A10.0.30.0/24

Subnet B10.0.40.0/24

Subnet C10.0.50.0/24

Transit POP

Transit POP

CPE

OCI VPN Redundancy Models (Single CPE)

IPsec Connection


ORACLE CLOUD INFRASTRUCTURE (REGION)




Subnet A10.0.30.0/24

Subnet B10.0.40.0/24

Subnet C10.0.50.0/24

Transit POP

Transit POP

OCI VPN Redundancy Models (Multiple CPE)


IPsec VPN


Example Config: Cisco ASA/ASAv VTI Source: Cisco ASA/ASAv Whitepaper

https://cloud.oracle.com/iaas/whitepapers/deploy_vpn_ipsec_on_oci_asa_with_vti_11.pdf


Typical Networking Scenarios

• Following are the typical networking scenarios

• Public Subnet

• Private Subnet with VPN

• Public and Private Subnets with a VPN


Public Subnet

• Create a VCN, provide a CIDR range

• Create an Internet Gateway

• Create a Route Rule with traffic to

Internet Gateway (for all IP addresses,

0.0.0.0/0)

• Create Security List rules that allow the

traffic (and each instance's firewall must

allow the traffic)

• Create a Public Subnet within a specific

AD with the Route Table and Security

List

• Create an instance with a public IP

address within the Subnet


Private Subnet with a VPN

• Create a VCN, provide a CIDR range

• Create a Dynamic Routing Gateway (DRG); attach

it to the VCN

• Create a new Route Table so its default route is

directed toward DRG and thus to the VPN

• Create a Route Rule with traffic to DRG - add a

CIDR block of 0.0.0.0/0 (all non-intra-VCN traffic

that is not already covered by other rules in the

route table will go to the DRG)

• Create Security List rules that allow the traffic (e.g.

port 1521 for Oracle databases)

• Create a Private Subnet within a specific AD with

the Route Table and Security List

• Similar example can also use OCI Fast Connect

Service


Public & Private Subnets with VPN


VPN IPsec Connectivity

• Customers can have Software VPN between multiple cloud providers

• Multiple choices are available when it comes to Software VPN

• Customer can run OpenSwan, OpenVPN, Libreswan etc. on either cloud Linux VM and create IPsec

tunnels

• Customers can spin up Virtual firewalls on either cloud and initiate IPsec tunnel to other cloud

• Virtual firewalls are available in market place

• Application latency or Bandwidth sensitive? IPsec is not a good choice


ORACLE CLOUD INFRASTRUCTURE (Ashburn)

AWS – OCI Connectivity Using Libreswan VM on AWS*

AD 3

AD1

AD 2

Subnet A10.0.30.0/24

Subnet B10.0.40.0/24

Subnet C10.0.50.0/24

virtual private cloud (Ohio East)

Availability Zone

VPC subnet

Libreswan VM

IPsec Tunnel

Demo available on Confluence (Demo Section)


AWS – OCI Connectivity Using Libreswan VM on AWS*

• Setup VCN on OCI and associate DRG with VCN

• Setup a Libreswan VM on AWS VPC

• Edit VPC Route table and Security groups/ACL

• Setup CPE and IPsec tunnel

• Add OCI IPsec tunnel info to AWS Libreswan VM

• IPsec tunnel Provisioned


Summary

After completing this lesson, you should have learned how to:

• Describe key IPsec VPN Connectivity Options

• Describe IPsec VPN and its concepts

• Describe IPsec VPN workflow

• Evaluate typical IPsec VPN Network scenarios

• AWS and OCI VPN Connectivity


cloud.oracle.com/iaas

cloud.oracle.com/tryit

connectivity ipsec vpn - cloud.oracle.com · • to create a cpe object –name, outside public ip...

Documents