Connect On-premises to OCI using an IPSec VPN with Hub and Spoke VCN Routing Architecture
Oracle Cloud Infrastructure (OCI) makes it easy to configure VPN connectivity between your on-premises environment and your OCI environment, however, they can create some complexities in routing when using a hub and spoke topology in OCI. In this tutorial, we will set up an Internet Protocol Security (IPSec) VPN connection to OCI, and configure routing to ensure that traffic from the on-premises environment is evaluated by firewall policies before connecting to resources in OCI.
The following images illustrate the traffic flows.
- On-premises to Spoke A Connectivity
- Spoke B to On-premises Connectivity
Objectives
- Connect an on-premises location to the OCI environment using an IPSec VPN tunnel. Given that our OCI environment utilizes a hub and spoke routing architecture, we will also configure the necessary routing to ensure that traffic flows correctly and verify the connectivity through basic ping tests.
Prerequisites
Complete the following tutorials:
- [Deploy a Windows Instance in Oracle Cloud Infrastructure.]
- [Install a pfSense Firewall in Oracle Cloud Infrastructure.]
- [Route Hub and Spoke VCN Routing with a pfSense Firewall in the Hub VCN.]
Task 1 - Prepare the On-premises Environment
- OCI Topology
In this tutorial, the OCI topology is the hub and spoke VCN routing topology.
For more information, see [Route Hub and Spoke VCN with pfSense Firewall in the Hub VCN.]
The following image illustrates the visual representation of the starting point.
- On-premises Topology
To simulate an on-premises environment, I built a sample set up, created two VPS instances and installed pfSense on each.
One pfSense instance will serve as the IPSec Customer-premises equipment (CPE) termination point, while the other pfSense instance will function as the internal client.
Set up of this environment is not in the scope of this tutorial.
- OCI and On-premises Final Topology
When we connect on-premises environment with the OCI environment the topology will look like this:
Task 2 - Create a CPE in OCI
Before creating an IPSec VPN connection, we need to first create a CPE object in OCI.
- Go to the OCI Console.
1. Click the hamburger menu (≡) from the upper left corner.
2. Click Networking.
3. Click Site-to-Site VPN.
1. Click Customer-premises equipment.
2. Click Create CPE.
- In Create CPE, enter the following information.
1. Enter the Name for the CPE.
2. Enter IP address, this IP address is the public IP address of the device that is going to be used to set up the VPN on-premises.
3. Click Create CPE.
1. Notice that the new CPE object in OCI is created.
2. Click Customer Connectivity to return to the customer connectivity page.
Task 3 - Create a Site-to-Site VPN in OCI
To configure the OCI Site-to-Site VPN, we need to perform the configuration on two ends, the OCI side and the on-premises side.
- Let us configure the OCI side.
1. Click Site-to-Site VPN.
2. Click Create IPSec connection.
1. Enter the Name for the IPSec connection.
2. Select the CPE created in Task 2.
3. Select the DRG that will be used to terminate this IPSec connection.
4. Select Routes to your on-premises network (LAN) on your on-premises location that you want to route traffic to from your OCI networks.
5. Scroll down.
1. In IKE version, select `IKEv1`.
2. In Routing Type, select Static routing.
3. Scroll down.
1. Click Show advanced options.
2. Scroll down.
- In OCI, we need to create and configure two tunnels by default. Let us configure the first Tunnel.
1. Click right-angle bracket (>) for Phase one (ISAKMP).configuration.
2. Scroll down.
- In the Phase one (ISAKMP) configuration section, enter the following information.
1. Select Set custom configurations.
2. In Custom encryption algorithm, select `AES_256_CBC`.
3. In Custom authentication algorithm, select `SHA_256`.
4. In Custom Diffie-Hellman Group, select `GROUP 2`.
5. Leave IKE session key lifetime in seconds default to `288500` seconds.
6. Click right-angle bracket (>) for Phase two (IPSec) configuration.
7. Scroll down.
- In the Phase two (IPSec) configuration section, enter the following information.
1. Select Set custom configurations.
2. In Custom encryption algorithm, select `AES_256_CBC`.
3. In Custom authentication algorithm, select `HMAC_SHA2_256_128`.
4. Leave IPSec session key lifetime in seconds default to `3600` seconds.
5. Select Enable perfect forward secrecy.
6. In Perfect forward secrecy Diffie-Hellman Group, select `GROUP 5`.
- Configure the second tunnel.
1. Use the same configuration details used by the first tunnel.
2. Scroll down.
- Click Create IPSec connection.
- Note that both IPSec tunnels Lifecycle state is PROVISIONING .
1. Note that the state is changed to AVAILABLE.
2. Note the Oracle VPN IP address that we need to save. These IP addresses will be required to configure the on-premises tunnel.
We will only make use of one of the two IPSec tunnels and therefore, we will only focus on the first tunnel configuration, so only collect and save the first IP address of the first IPSec tunnel.
- Click CPE & Tunnels information.
- Click Show.
1. Note that the Shared Secret key is autogenerated. Save this secret key, this is required to configure the other side of the tunnel (on-premises).
2. Click Close.
Task 4 - Configure Hub and Spoke VCN Routing for the On-premises Subnet
To route network traffic coming from the on-premises network within our Hub and Spoke network architecture, we need to make some changes to Dynamic Routing Gateways (DRG) and VCN route tables.
The following image illustrates the routing tables so this is our starting point.
Task 4-1 - Update the Route Import
- Update the route distribution group (`DRG_RDG_IMPORT`) in the DRG. Add the IPSec tunnel attachment type (priority 4).
| Priority | Match Type | Match Criteria | Action |
|---|---|---|---|
| 1 | Attachment | SPOKE_VCN-A_ATTACHMENT | ACCEPT |
| 2 | Attachment | SPOKE_VCN-B_ATTACHMENT | ACCEPT |
| 3 | Attachment | SPOKE_VCN-C_ATTACHMENT | ACCEPT |
| 4 | Attachment Type | IPSec Tunnel | ACCEPT |
- Go to the OCI Console.
1. Click the the hamburger menu (≡) from the upper left corner.
2. Click Networking.
3. Click Dynamic Routing Gateway.
1. Click Dynamic Routing Gateway.
2. Click the DRG that we are using for our VCN routing environment.
1. Click Import route distribution.
2. Click import route distribution (`DRG_RDG_IMPORT`).
- Make sure to add the new route distribution statement.
1. Notice the route distribution statement is added successfully.
2. Click Dynamic routing gateways details to return to the DRG details page.
- The following image illustrates the visual representation of what we have created so far.
- We already imported the route in the DRG route table `DRG_RT_HUB_VCN_3`.
This DRG route table (`DRG_RT_HUB_VCN_3`) and route table attachment will make sure that all networks from the spokes and on-premises (IPSec) are known and learned on the DRG so that the DRG knows what networks are available on the spokes and where to route the spoke networks to.
1. Click DRG route tables to verify.
2. Click `DRG_RT_HUB_VCN_3` route table.
- Click Get all route rules.
1. Notice that the route from on-premises (`10.222.10.0/24`) is visible in the table. This means that the DRG knows how to reach the on-premises network (`10.222.10.0/24`) that is through the IPSec tunnel.
2. Click Close.
- Click DRG to return to the DRG details page.
Task 4-2 - Create a new Hub VCN Route Table and Associate with the IPSec DRG Attachment
- Create a new route table (`DRG_RT_IPSEC_VC_1`) in the DRG.
| Destination CIDR | Next Hop Attachment Type | Next Hop Attachment Name |
|---|---|---|
| 172.16.0.0/24 | Virtual Cloud Network | HUB_VCN_ATTACHMENT |
| 172.16.1.0/24 | Virtual Cloud Network | HUB_VCN_ATTACHMENT |
| 172.16.2.0/24 | Virtual Cloud Network | HUB_VCN_ATTACHMENT |
| 172.16.3.0/24 | Virtual Cloud Network | HUB_VCN_ATTACHMENT |
- Go to the OCI Console.
1. Click DRG route tables.
2. Click Create DRG route table.
1. Enter the Name for the DRG route table.
2. In Static route rule, enter the following information to add a new static rule.
- Destination CIDR Block: Enter `172.16.0.0/24`.
- Next hop attachment type: Select Virtual Cloud Network.
- Next hop attachment: Select hub VCN.
3. Click + Another Rule.
1. Add a new static rule.
- Destination CIDR Block: Enter `172.16.1.0/24`.
- Next hop attachment type: Select Virtual Cloud Network.
- Next hop attachment: Select hub VCN.
2. Click + Another Rule.
1. Add a new static rule.
- Destination CIDR Block: Enter `172.16.2.0/24`.
- Next hop attachment type: Select Virtual Cloud Network.
- Next hop attachment: Select hub VCN.
2. Click + Another Rule.
1. Add a new static rule.
- Destination CIDR Block: Enter `172.16.3.0/24`.
- Next hop attachment type: Select Virtual Cloud Network.
- Next hop attachment: Select hub VCN.
2. Click Create DRG route table.
- After a few minutes, route table will be created.
1. Notice that the new DRG route table (`DRG_RT_IPSEC_VC_1`) is created.
- The following image illustrates the visual representation of what we have created so far.
- We need to associate/attach/bind the route table to the DRG IPSec tunnel attachments.
This DRG route table (`DRG_RT_IPSEC_VC_1`) and route table attachment will make sure that all networks from the spokes are reachable from on-premises. This is also a way to control the routing and only allow routing to the spokes you want to be able to route to.
1. Click IPSec tunnel attachments.
2. Click the first attachment.
1. Notice that the IPSec attachment is using the autogenerated default DRG route table.
2. Click Edit.
1. Select the DRG route table created above (`DRG_RT_IPSEC_VC_1`).
2. Click Save changes.
1. Notice that a new DRG route table is active on the IPSec attachment of the first IPSec tunnel.
2. Click DRG to return to the DRG details page.
- The following image illustrates the visual representation of what we have created so far.
We will not update the DRG route table on the second IPSec tunnel attachment as we do not use the second tunnel in this tutorial.
Task 4-3 - Update the Hub VCN Private Subnet Route Table
The last route table to update is the VCN route table that is associated with the private subnet in the hub VCN.
- Update the route table (`VCN_RT_HUB_PRIVATE_SUBNET`) in the hub VCN.
Add the on-premises network to the (`VCN_RT_HUB_PRIVATE_SUBNET`) table.
| Destination | Target Type | Target | Route Type |
|---|---|---|---|
| 0.0.0.0/0 | NAT Gateway | hub-nat-gw | Static |
| 172.16.1.0/24 | Dynamic Route Gateway | DRG | Static |
| 172.16.2.0/24 | Dynamic Route Gateway | DRG | Static |
| 172.16.3.0/24 | Dynamic Route Gateway | DRG | Static |
| 10.222.10.0/24 | Dynamic Route Gateway | DRG | Static |
This VCN route table (`VCN_RT_HUB_PRIVATE_SUBNET`) will route traffic that is destined for the spokes and on-premises IPSec network to the firewall. Traffic that is destined to the internet (all traffic other than spoke networks) to the NAT gateway will also be routed by this route table.
- Go to the OCI Console.
1. Click the the hamburger menu (≡) from the upper left corner.
2. Click Networking.
3. Click Virtual cloud networks.
- Click the hub VCN.
1. Click Route Tables.
2. Click the `VCN_RT_HUB_PRIVATE_SUBNET` route table.
- I have already added the new route rule, so make sure you add it. When you successfully add in the route rule it should look like this.
- The following image illustrates the visual representation of what we have created so far.
Task 5 - Create a Site-to-Site VPN on On-premises using pfSense
We have configured the OCI side of the IPSec tunnel. Let's configure the on-premises side. We are using a pfSense firewall as the IPSec termination endpoint.
Task 5-1 - Create the IPSec Tunnel (Phase 1 ISAKMP)
- Go to the pfSense portal.
1. Click the VPN drop-down menu.
2. Click IPSec.
1. Click Tunnels.
2. Click + Add P1.
1. Enter a Description.
2. In Key exchange version, select IKEv1.
3. In Internet Protocol, select IPv4.
4. In Interface, select WAN.
5. In Remote Gateway, enter the public IP address, which can be retrieved from the OCI Console. Go to Networking, Customer Connectivity, Site-to-Site VPN and click VPN.
6. Scroll down.
- In Phase 1 Proposal section, enter the following information.
1. In Authentication Method, select Mutual PSK.
2. In Negotiation mode, select Main.
3. In My Identifier, select IP address and enter your local public IP address of the on-premises side retrieved in Task 3.
4. In Peer Identifier, select IP address and enter your remote public IP address of the OCI side.
5. Enter the (Pre) Shared secret key retrieved in Task 3.
6. Configure the Encryption Algorithm:
- Algorithm: Select AES.
- Key Length: Select256 bits.
- Hash: Select SHA256.
- DH Group: Select 2 (1024 bit).
7. Scroll down.
1. In Life Time, enter `28800` seconds.
2. In Child SA Close Action, select Restart/Reconnect.
3. Scroll Down.
- Click Save.
1. Notice that the phase 1 IPSec configuration has been configured.
2. Click Apply Changes to commit the changes.
1. Notice that the changes have been applied successfully.
2. Click Show Phase 2 Entries.
Task 5-2 - Create the IPSec Tunnel (Phase 2 IPSec)
- Click + Add P2.
1. Enter a Description.
2. In Mode, select Routed (VTI).
3. Select the local (on-premises) network.
4. Select the remote (OCI) network.
5. Scroll down.
1. In Protocol, select ESP.
2. In Encryption Algorithm, select AES 256 bits.
3. In Hash Algorithm, select SHA256.
4. In PFS key group, select 5 (1536 bit).
5. In Life Time, enter 3600 seconds.
6. Scroll down.
- Click Save.
1. Notice that the phase 1 IPSec configuration has been configured.
2. Click the statistics.
- Notice that the status is Established.
- Let's verify the tunnel state on OCI side. Go to the OCI Console, navigate to Networking, Customer Connectivity, Site-to-Site VPN and click the VPN. Notice that the IPSec status of the first tunnel is Up.
Task 5-3 - Enable the Tunnel Interface
- We need to enable the tunnel interfaces on on-premises side. Go to the pfSense Portal.
1. Click the Interfaces drop-down menu.
2. Click Assignments.
3. Note that a new VTI interface is available.
4. Click + Add to add the interface.
1. Note that the interface has been added.
2. Click added tunnel interface (`OPT1`).
1. Select Enable interface to enable the interface.
2. Click Save.
Task 5-4 - Open the Firewall Rules for IPSec
- To allow IPSec traffic to flow through the tunnel we need to add some firewall rules.
1. Click the Firewall drop-down menu.
2. Click Rules.
1. Click IPSec.
2. Note that there are no firewall rules related to IPSec.
3. Click Add.
- Enter the following information.
1. Action: Select Pass.
2. Interface: Select IPSec.
3. Address Family: Select IPv4.
4. Protocol: Select Any.
5. Source: Select Any.
6. Destination: Select Any.
7. Scroll down.
- Click Save.
1. Note that the new rule is in place.
2. Click Apply Changes to commit the changes.
- Note that the changes have been applied successfully.
Task 5-5 - Configure IPSec Routing
In this task, we will configure routing so that the pfSense firewall knows how to reach the OCI network through the IPSec tunnel and the `OPT1` interface.
- Go to the pfSense Portal.
1. Click the System drop-down menu.
2. Click Routing.
3. In Default gateway IPv4, select the `WAN_DHCP` or your default gateway that you want to use as the first priority.
4. Click + Add to add a new gateway.
1. In Interface, select `OPT1` (the tunnel interface).
2. In Address Family, select `IPv4`.
3. Enter a Name.
4. In Gateway, do not specify any IP address, leave blank.
5. Scroll down.
- Click Save.
1. Note that a new gateway has been added for our IPSec tunnel.
2. Click Static Routes.
- Click + Add to add a new static route.
1. Enter Destination network of the OCI networks.
2. Select Destination subnet of the OCI networks.
3. Select the Gateway created above.
4. Click Save.
- Note that a new static route is added that will route traffic destined for the OCI networks using the tunnel interface.
Task 6 - Configure On-premises Routing
We have routing working on pfSense, that is the IPSec VPN endpoint. We need to make sure that the rest of the on-premises network knows how to reach the OCI networks. So we need to route all traffic destined to OCI to the pfSense VPN endpoint.
Configure routing on the test On-premises Compute Client
We are using a pfSense instance to simulate the on-premises network.
This is a different instance than the one we just used to configure the IPSec tunnel on!
- Go to the PfSense Portal.
1. Click the System drop-down menu.
2. Click the Routing.
1. Select `WAN_DHCP` or your default gateway that will be used as the first priority.
2. Click + Add to add a new gateway.
1. In Interface, select `LAN`.
2. In Address Family, select `IPv4`.
3. Enter a Name.
4. Enter the LAN IP address of the other pfSense instance, the one that terminates the IPSec tunnel.
5. Scroll down.
- Click Save.
1. Note that a new gateway is added for our other pfSense instance.
2. Click Static Routes.
- Click + Add to add a new static route.
1. Select Destination network of the OCI networks.
2. Select Destination subnet of the OCI networks.
3. Select the Gateway created above.
4. Click Save.
- Note that a new static route is added that will route traffic destined for the OCI networks using the other pfSense instance.
Task 7 - Verify the Connectivity
We have configured the VPN, added the correct firewall rules, and configured routing, now test the connectivity.
Task 7-1 - Ping from On-premises to Spoke VCN A
- Due to routing configuration:
- The traffic will be sent to the (on-premises) pfSense VPN instance.
- The traffic is sent through the IPSec VPN tunnel to the DRG.
- The DRG will then route the traffic to the OCI pfSense firewall.
- The OCI pfSense firewall will allow or deny the traffic based on the configured firewall rules.
- When the ICMP traffic is accepted it will route the traffic to the Spoke instance.
- Perform a ping test from the VPN pfSense on-premises instance.
1. Click the Diagnostics drop-down menu.
2. Click Ping.
3. Enter the Hostname which is an IP address of the Spoke VCN A instance.
4. In IP Protocol, select `IPv4`.
5. In Source address, select the `LAN` interface.
6. In Maximum number of pings, select `3`.
7. Click Ping.
8. Notice that we have 0% Packet loss.
- We can also do a test from the other pfSense instance (the Client). Perform a ping test from the Client pfSense on-premises instance.
1. Click the Diagnostics drop-down menu.
2. Click Ping.
3. Enter the Hostname which is an IP address of the Spoke VCN A instance.
4. In IP Protocol, select `IPv4`.
5. In Source address, select the `LAN` interface.
6. In Maximum number of pings, select `3`.
7. Click Ping.
8. Note that we have 0% Packet loss.
Task 7-2 - Ping from Spoke VCN B to On-premises
- Due to routing configuration:
- The traffic will be sent to the DRG.
- The DRG will then route the traffic to the OCI pfSense firewall.
- The OCI pfSense firewall will allow or deny the traffic based on the configured firewall rules.
- When the ICMP traffic is accepted it will route the traffic back to the DRG.
- The traffic is sent through the IPSec VPN tunnel to the on-premises pfSense instance.
1. Connect to the spoke B VCN instance.
2. Do a ping to the LAN IP address of the on-premises pfSense VPN instance (`10.222.10.1`).
3. Notice that we have 0% packet loss so the ping is successful.
4. Do a ping to the LAN IP address of the on-premises pfSense client instance (`10.222.10.100`).
5. Notice that we have 0% packet loss so the ping is successful.
Task 7.3: Check IPSec VPN Network Statistics on OCI
- Go to the OCI Console.
1. Click the the hamburger menu (≡) from the upper left corner.
2. Click Networking.
3. Click Site-to-Site VPN.
- Click the VPN.
- Click the first tunnel.
1. Note that the tunnel state shows a constant `1` in the binary state, indicating that the tunnel is up constantly.
2. Scroll down.
1. Note that the graph is peaking for the Packets Received and Packets Sent, this is due to the ping we did in Task 7.1.
2. Note that the graph is peaking for the Packets Received and Packets Sent, this is due to the ping we did in Task 7.2.
Task 7-4 - Check IPSec VPN Network Statistics on the pfSense VPN Instance -On-premises-
- Go to the PfSense Portal.
1. Click the Status drop-down menu.
2. Click IPSec.
- Click Show Child SA Entries (1 connection).
- Notice the Packets and Bytes came in and went out.
Network Visualizer
As we have added the VPN, we can use the Network Visualizer on the OCI Console to get a network overview.
- Go to the OCI Console.
1. Click the the hamburger menu (≡) from the upper left corner.
2. Click Network.
3. Click Network Visualizer.
- You can see four VCNs (one Hub and three Spokes) and the on-premises connected with VPN.
Conclusion
In this tutorial, we have connected our on-premises location to our OCI cloud environment with an IPSec VPN Tunnel. Because our OCI environment is using a Hub and Spoke Routing Architecture we also needed to configure routing to make sure the traffic flows are still following the required path. We ended this tutorial by proving connectivity is possible with some basic ping tests.