1Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Connectivity – IPsec VPNLevel 200
Jamal Arif
November 2018
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Objectives
After completing this lesson, you should be able to:
• Describe key IPSec VPN Connectivity Options
• Describe IPsec VPN and its concepts
• Describe IPsec VPN workflow
• Evaluate typical IPsec VPN Network scenarios
• AWS and OCI VPN Connectivity
• Pre-requisites: Connectivity – Level 100
4Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Connectivity options
Public Internet
• Reserved IPs
• Ephemeral IPs
• Internet Data out Pricing
(first 10TB free)
IPsec VPN
• IPsec authentication and
encryption
• Two main options
• OCI managed VPN
Service (free)
• Software VPN (running
on OCI Compute)
FastConnect
• Private dedicated
Connection
• Consistent network
experience
• Port speeds of 1 Gbps, 10
Gbps
• SLA
5Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Connectivity to on-premises network planning
Connecting your virtual cloud network (VCN) to your on-premises network requires certain
design considerations
• What kind of Bandwidth/throughput your application requires?
• Is your application Latency sensitive?
• Are you planning to provide Redundancy to your on-premises connectivity and avoid single
point of failure?
• Do you require a secure and private dedicated connection or a public connection over the
internet ?
• Do you see your services growing, and plan to dynamically scale up your application
bandwidth needs?
6Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
VPN Basics
• Tunnel – a way to deliver packets through the
internet to private RFC 1918 addresses
• Authentication – provides a mechanism to
authenticate who you are
• Encryption – packets need to be encrypted,
so they cannot be sniffed over the public
internet
• Static routing: configure a router to send
traffic for particular destinations in
preconfigured directions
• Dynamic routing: use a routing protocol such
as BGP to figure out what paths traffic should
take
VPN Connection
Private Network 1
Private Network 2
Tunnel
VPN
Router
Internet
VPN
Router
VPN – using a public network to make end to end connection between two private networks in a
secure fashion
7Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
IPsec VPN
• IPsec VPN is a managed VPN service which securely
connects on-premises network to OCI VCN through
an IPsec VPN connection
• IPsec VPN ensure secure remote connectivity
• Bandwidth is dependent on the customer’s access to the
Internet and general Internet congestion (Typically less
than 250 Mbps – but your mileage may vary)
• VPN Service is offered for free
• Customer Proof of Concepts usually start as a VPN and
then morph into FastConnect designs
• OCI provisions redundant VPN tunnels located on
physically and logically isolate tunnel endpointsCUSTOMER
DATA CENTER
ORACLE CLOUD DATA CENTER REGION
VCN, 10.0.0.0/16
AVAILABILITY DOMAIN-2
SUBNET B,
10.0.2.0/24
Custom Route
Table
8Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
OCI VPN Concepts
• Dynamic Routing Gateway - VPN headend at OCI end of the IPsec VPN
• Customer Premise Equipment (CPE)
• Actual VPN router in your on-premises network (hardware or software)
• When setting up the VPN, you create a virtual representation of your on-premises router, which is
known as CPE object
• To Create a CPE Object – Name, Outside Public IP address
• IPsec Connection
• After creating the CPE object and DRG, you connect them by creating an IPsec connection, which
results in multiple redundant IPsec tunnels
• While creating an IPsec connection, static routes are added
• The static routes can’t be modified after an IPsec connection has been created
9Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
ORACLE CLOUD DATA CENTER REGION
Internet
OCI VPN - Workflow
On-Premises Network
10.0.0.0/16
CPE,
142.32.45.56
VCN, 172.16.0.0/16
Route Table
10.0.0.0/16 DRG
Static Route
0.0.0.0/0
Subnet A
172.16.0.0/24
10Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
OCI VPN – Example (POC Environment)
• Create a Virtual Cloud Network (VCN)
• Create a Dynamic Routing Gateway (DRG)
• Attach DRG to your VCN
• Update VCN Router to route traffic to DRG
• Create a CPE Object and add on-premises router
Public IP address
• From DRG, Create an IPsec Connection between
CPE and DRG and provide a Static Route
• Configure on-premises CPE Router
11Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
OCI VPN Configuration Examples
Single-Site
ORACLE CLOUD DATA CENTER REGION
VCN, 172.16.0.0/16
Route Table
10.0.0.0/16 DRG
On-Premises Network
10.0.0.0/16 CPE
Static Routes
10.0.0.0/16
0.0.0.0/0
Subnet A
172.16.0.0/24
12Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
OCI VPN Configuration Examples
Multi-Site
ORACLE CLOUD DATA CENTER REGION
VCN, 172.16.0.0/16
Route Table
10.0.0.0/16 DRG
10.10.0.0/16 DRG
10.20.0.0/16 DRG
10.30.0.0/16 DRG
On-Premises Network10.0.0.0/16
Chicago CPE
Static Routes
10.0.0.0/16
On-Premises Network10.10.0.0/16
Los Angles
On-Premises Network10.20.0.0/16
New York
On-Premises Network10.30.0.0/16
Seattle
Static Routes
10.10.0.0/16
Static Routes
10.20.0.0/16
Static Routes
10.30.0.0/16
CPE
CPE
CPE
13Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
IPSec VPN – Multisite HA scenarios
• If your data centers span multiple geographical locations, we recommend using a broad CIDR (0.0.0.0/0) as
a static route in addition to the CIDR of the specific geographical location.
• This broad CIDR provides high availability and flexibility to your network design.
• Each IPSec VPN connection has two static routes: one for the CIDR of the particular geographical area,
and a broad 0.0.0.0/0 static route.
14Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
IPSec VPN – Multisite HA scenarios
• If the CPE 1 router goes down, If Subnet 1 and Subnet 2 can communicate with each other, the
VCN is still able to access the systems in Subnet 1 because of the 0.0.0.0/0 static route that goes
to CPE 2
15Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
IPSec VPN – Multisite HA scenarios
• If you add a new geographical area with Subnet 3 and connect it to Subnet 2. You would add a
route rule to your VCN’s route table for Subnet 3 so that the VCN can reach systems in Subnet 3
without creating a new VPN connection because of the 0.0.0.0/0 static route that goes to CPE 2
16Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
ORACLE CLOUD INFRASTRUCTURE (REGION)
Availability Domain 3
Availability Domain 1
Availability Domain 2
Subnet A10.0.30.0/24
Subnet B10.0.40.0/24
Subnet C10.0.50.0/24
Transit POP
Transit POP
CPE
OCI VPN Redundancy Models (Single CPE)
IPsec Connection
17Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
ORACLE CLOUD INFRASTRUCTURE (REGION)
Availability Domain 3
Availability Domain 1
Availability Domain 2
Subnet A10.0.30.0/24
Subnet B10.0.40.0/24
Subnet C10.0.50.0/24
Transit POP
Transit POP
OCI VPN Redundancy Models (Multiple CPE)
18Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
IPsec VPN
19Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Example Config: Cisco ASA/ASAv VTI Source: Cisco ASA/ASAv Whitepaper
20Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Typical Networking Scenarios
• Following are the typical networking scenarios
• Public Subnet
• Private Subnet with VPN
• Public and Private Subnets with a VPN
21Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Public Subnet
• Create a VCN, provide a CIDR range
• Create an Internet Gateway
• Create a Route Rule with traffic to
Internet Gateway (for all IP addresses,
0.0.0.0/0)
• Create Security List rules that allow the
traffic (and each instance's firewall must
allow the traffic)
• Create a Public Subnet within a specific
AD with the Route Table and Security
List
• Create an instance with a public IP
address within the Subnet
22Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Private Subnet with a VPN
• Create a VCN, provide a CIDR range
• Create a Dynamic Routing Gateway (DRG); attach
it to the VCN
• Create a new Route Table so its default route is
directed toward DRG and thus to the VPN
• Create a Route Rule with traffic to DRG - add a
CIDR block of 0.0.0.0/0 (all non-intra-VCN traffic
that is not already covered by other rules in the
route table will go to the DRG)
• Create Security List rules that allow the traffic (e.g.
port 1521 for Oracle databases)
• Create a Private Subnet within a specific AD with
the Route Table and Security List
• Similar example can also use OCI Fast Connect
Service
23Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Public & Private Subnets with VPN
24Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
VPN IPsec Connectivity
• Customers can have Software VPN between multiple cloud providers
• Multiple choices are available when it comes to Software VPN
• Customer can run OpenSwan, OpenVPN, Libreswan etc. on either cloud Linux VM and create IPsec
tunnels
• Customers can spin up Virtual firewalls on either cloud and initiate IPsec tunnel to other cloud
• Virtual firewalls are available in market place
• Application latency or Bandwidth sensitive? IPsec is not a good choice
25Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
ORACLE CLOUD INFRASTRUCTURE (Ashburn)
AWS – OCI Connectivity Using Libreswan VM on AWS*
AD 3
AD1
AD 2
Subnet A10.0.30.0/24
Subnet B10.0.40.0/24
Subnet C10.0.50.0/24
virtual private cloud (Ohio East)
Availability Zone
VPC subnet
Libreswan VM
IPsec Tunnel
Demo available on Confluence (Demo Section)
26Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
AWS – OCI Connectivity Using Libreswan VM on AWS*
• Setup VCN on OCI and associate DRG with VCN
• Setup a Libreswan VM on AWS VPC
• Edit VPC Route table and Security groups/ACL
• Setup CPE and IPsec tunnel
• Add OCI IPsec tunnel info to AWS Libreswan VM
• IPsec tunnel Provisioned
27Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
Summary
After completing this lesson, you should have learned how to:
• Describe key IPsec VPN Connectivity Options
• Describe IPsec VPN and its concepts
• Describe IPsec VPN workflow
• Evaluate typical IPsec VPN Network scenarios
• AWS and OCI VPN Connectivity
28Copyright © 2018, Oracle and/or its affiliates. All rights reserved.
cloud.oracle.com/iaas
cloud.oracle.com/tryit
Top Related