This post explains step by step the VPN IPSec tunnel configuration in Oracle Cloud Infrastructure and how we can leverage IPSec to establish the connectivity from On premises network to resources provisioned in Oracle Cloud Infrastructure. There are two types of modes supported by IPSec and this post, i have used Tunnel Mode and which is also supported by Oracle. The entire communication between the source and destination sites is encrypted, significantly lowering the chances of information theft.
My Source On premise addresses are as follows
Source CIDR:-10.0.0.0/29
Public Router Address:-140.238.226.118
Server IP Address:-10.0.0.0.146
OCI CIDR Range:-192.168.0.0/26
VCN Setup
Create DRG
Go to Networking>Customer
Connectivity>Dynamic Routing gateways
Attach the DRG to VCN
Create Route Table
Destination is: On Premise CIDR
Create Security list and add the respective ingress/egress
Create the Regional private Subnet
Create the CPE
At this moment, the IPSec Status will be down.
Also, i have one compute instance running on private subnet. We can have Database or any services running on private subnet
Configuration on the On Premise host
Install libreswan in the on prem compute instance
[root@webserver opc]# yum install libreswan
[root@webserver opc]# ipsec version
Linux Libreswan 4.5 (XFRM) on 5.4.17-2136.307.3.1.el8uek.x86_64
[root@webserver opc]#
Turning Linux instance into a IP Router Now we will configure Libreswan and enable IP forwarding feature in order to turn our Linux Instance into a Router
[root@webserver opc]# cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
# Enable Panic on VMs on NMI trigger
kernel.unknown_nmi_panic = 1
net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
[root@webserver
opc]# vi /etc/ipsec.d/oci-ipsec.conf
conn
oracle-tunnel-1
left=10.0.0.146
leftid=140.238.226.118 # See preceding note
about 1-1 NAT device
right=193.122.171.48
authby=secret
leftsubnet=10.0.0.0/29
rightsubnet=192.168.0.0/28----VPN Address for tunnel
auto=start
mark=5/0xffffffff # Needs to be unique across
all tunnels
vti-interface=${vti1}
vti-routing=yes
ikev2=no # To use IKEv2, change to
ikev2=insist
ike=aes_cbc256-sha2_384;modp1536
phase2alg=aes_gcm256;modp1536
encapsulation=yes
ikelifetime=28800s
salifetime=3600s
conn
oracle-tunnel-2
left=10.0.0.146
leftid=140.238.226.118 # See preceding note
about 1-1 NAT device
right=129.213.168.243-----VPN Address for Tunnel
authby=secret
leftsubnet=10.0.0.0/29
rightsubnet=192.168.0.0/28
auto=start
mark=6/0xffffffff # Needs to be unique across
all tunnels
vti-interface=${vti2}
vti-routing=yes
ikev2=no # To use IKEv2, change to
ikev2=insist
ike=aes_cbc256-sha2_384;modp1536
phase2alg=aes_gcm256;modp1536
encapsulation=yes
ikelifetime=28800s
Create ipsec secrets file
[root@webserver
opc]# cat /etc/ipsec.d/oci-ipsec.secrets
140.238.226.118
193.122.171.48: PSK
"fpLnW7HwiuEf5Fzu1PzHMVEVeFIszSUoaB4x2zgWtZyaNnk4kUrKZ3z5NIVFcWET"
140.238.226.118
129.213.168.243: PSK "0XczQpGij8GPr3GwPnXt9FSvefgD1UC4wgpxUCDufeSX7QBh6Ern0nWBRwuTUa59"
[root@webserver
opc]#
Note: We can get the secret value from the view details section of the respective tunnels.
Restart the IPSec services
[root@webserver opc]#
service ipsec restart
Verify the IPSec services
[root@webserver
opc]# ipsec verify
Verifying
installed system and configuration files
Version
check and ipsec on-path
[OK]
Libreswan
4.5 (XFRM) on 5.4.17-2136.307.3.1.el8uek.x86_64
Checking
for IPsec support in kernel
[OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto
ipsec.conf syntax [OK]
Checking
rp_filter
[ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and
should be disabled
Checking
that pluto is running
[OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking
'ip' command
[OK]
Checking
'iptables' command
[OK]
Checking
'prelink' command does not interfere with FIPS [OK]
Checking
for obsolete ipsec.conf options
[OK]
ipsec
verify: encountered 3 errors - see 'man ipsec_verify' for help
Update the
firewall rules
[root@webserver
opc]# firewall-cmd --add-port=500/udp
success
[root@webserver
opc]# firewall-cmd --add-port=4500/udp
success
[root@webserver
opc]# firewall-cmd --runtime-to-permanent
success
[root@webserver
opc]#
Update the Firewalls
[root@webserver opc]# firewall-cmd --add-port=500/udp
success
[root@webserver opc]# firewall-cmd --add-port=4500/udp
success
[root@webserver opc]# firewall-cmd --runtime-to-permanent
success
[root@webserver opc]#
Verify the tunnel status from the OCI Console
Now, you
will be in a position to Ping and SSH to the compute instance running on OCI
Private subnet.
References:-
Libreswan configuration: https://docs.cloud.oracle.com/iaas/Content/Network/Reference/libreswanCPE.htm?Highlight=shared%20secret
Oracle Cloud Infrastructure VPN Connect:https://docs.cloud.oracle.com/iaas/Content/Network/Tasks/managingIPsec.html
