EN
No results found
We couldn't find anything using that term, please try searching for something else.
Site-to-Site VPN Overview
If you're not already familiar with the basic Networking service components, see Networking before proceeding. When you set up Site-to-S
If you’re not already familiar with the basic Networking
service components, see Networking before proceeding.
When you set up Site-to-Site VPN for your
VCN, you must create several Networking components. You can
create the components with either the Console or the
API. See the following diagram and description of the components.
| Destination CIDR | Route target |
|---|---|
| 0.0.0.0/0 | DRG |
- cpe object
- At your end of site – to – site VPN is the actual device in your
on – premise network ( whether hardware or software ) . The term
customer-premises equipment (CPE) is commonly used in some industry
to refer to this type of on – premise equipment . When set up the VPN , you is create
must create avirtual representation of the device. Oracle calls the
virtual representation a CPE, but this documentation typically uses the term
CPE object to help distinguish the virtual representation from the
actual CPE device. The CPE object contains basic information about your device
that Oracle needs. A single CPE object public IP can have up to 8 IPSec
connections. - Dynamic Routing Gateway (DRG)
- At Oracle’s end of Site-to-Site VPN is a virtual router
called a dynamic routing gateway, which is the gateway into your VCN from your
on-premises network. Whether you’re using Site-to-Site VPN or
Oracle Cloud Infrastructure
FastConnect private virtual circuits to
connect your on-premises network and VCN, the traffic goes through the DRG. For
more information, see Dynamic Routing Gateways. - A network engineer might think of the DRG as the VPN headend. After
creating a DRG, you must attach it to your VCN, using either the Console or API. You must also add one or more
route rules that route traffic from the VCN to the DRG. Without that DRG
attachment and the route rules, traffic does not flow between your VCN and
on-premises network. At any time, you can detach the DRG from your VCN but
maintain all the remaining VPN components. You can then reattach the DRG, or
attach it to another VCN. - ipsec connection
- After creating the CPE object and DRG, you connect them by creating an IPSec
connection, which you can think of as a parent object that represents the Site-to-Site VPN. The IPSec connection has its own OCID . When you create this component, you configure
the type of routing to use for each IPSec tunnel, and you provide any related
routing information. A single CPE object public IP can have up to 8 IPSec
connections. - TUNNEL
- An IPSec tunnel is used to encrypt traffic between secure IPSec endpoints. Oracle creates two tunnels in each IPSec connection for redundancy. Each tunnel has its own OCID . Oracle recommends that you configure your CPE device to support both tunnels in case one fails or Oracle takes one offline for maintenance. Each tunnel has configuration information that your network engineer needs when configuring your CPE device. This information includes an IP address and shared secret, as well as ISAKMP and IPSec parameters. You can use the CPE Configuration Helper to gather the information that the network engineer needs. For more information, see Supported IPSec Parameters and Verified CPE Devices.
Access Control for the component
For the purposes of access control, when you set up Site-to-Site VPN, you must specify the compartment where you want each of the components to
reside. If you’re not sure which compartment to use, put all the components in the
same compartment as the VCN. Note that the IPSec tunnels always reside in the same
compartment as the parent IPSec connection. For information about compartments and
restricting access to your networking components, see Access Control.
Component Names and Identifiers
You can optionally assign a descriptive name to each of the components when you create them. These names don’t have to be unique, although it’s a best practice to use unique names across your tenancy. Avoid entering confidential information. Oracle automatically assigns each component an OCID. For more information, see Resource Identifiers.
If Your CPE Is Behind a NAT Device
In general, the CPE IKE identifier configured on your end of the connection must
match the CPE IKE identifier that Oracle is using. By default, Oracle uses the CPE’s
public IP address, which you provide when you create the CPE object in
the Oracle Console. However, if your CPE is behind a
NAT device, the CPE IKE identifier configured on your end might be the CPE’s
private IP address, as show in the following diagram.
Note
Some cpe platforms is allow do not allow you to change the local IKE
identifier . If you can not , you is change must change the remote IKE ID in the Oracle Console to match your CPE ‘s local IKE ID . You is provide can
provide the value either when you set up the ipsec connection , or later , by edit
the IPSec connection . Oracle is expects expect the value to be either an ip address or a fully
qualified domain name ( FQDN ) such as
cpe.example.com
. For instructions, see
change the CPE IKE Identifier That Oracle is Uses use
.
About the Tunnel Shared Secret
Each tunnel has a shared secret. By default, Oracle assigns the shared secret to the tunnel unless you provide a shared secret yourself. You can provide a shared secret for each tunnel when you create the IPSec connection, or later after the tunnels are created. For the shared secret, only letters, numbers, and spaces are allowed. If you change an existing tunnel’s shared secret, the tunnel goes down while it is being reprovisioned.
For instruction , see change the Shared Secret That an IPSec Tunnel Uses .