Secure your Cloud Tenancy by Deploying IPSec and Dynamic VPN Tunnels

Jobs

As per recent industry studies, several customers open up firewalls to access their cloud platform without following proper security policies and procedures. This exposes businesses to high risks, and some companies take several years to recover from such security attacks or are unable to recover at all. Applying intrusion detection and prevention rules without having basic security in place increases your security maintenance costs.

Since 2004, Vast Edge has been assisting companies in effectively securing their businesses by following security policies and procedures using proven industry-standard tools and methods.

Vast Edge recommends using a combination of IPSec (Internet Protocol Security) and Dynamic VPN to ensure secure data transfer by encrypting the entire IP traffic before the packets are transferred from the source to the destination. In this discussion, we will cover how to securely connect your on-premises network with your Oracle cloud network using IPSec.

Advantages of IPSec VPN Site-to-Site Tunnels

  • Uses telecommunication lines to transmit data, eliminating the need for dedicated, expensive lease lines from one site to another.

  • Hides the internal IP addresses of the participating networks and nodes from external users.

  • Encrypts the entire communication between the source and destination sites.

Things to Remember

  • Oracle Cloud Infrastructure supports only the tunnel mode for IPSec VPNs.
  • To configure the IPSec, you must have appropriate permissions.
  • Border Gateway Protocol (BGP) is not supported for Oracle IPSec VPN.
  • After setting up the IPSec VPN, you cannot edit or expand the list of static routes associated with the tunnels. To change the static routes, you must delete the IPSec connection, re-create it, and then reconfigure your router.
  • Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as a backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.

IPSec VPN Components

You will need to create the following Networking components to configure IPSec. You can create the components with either the Console or the API.

CPE Object

The CPE (Customer Premises Equipment) Object is a virtual representation of your actual router in your on-premises network (whether hardware or software). The CPE object contains basic information about your router, such as its IP address.

Dynamic Routing Gateway (DRG)

A Dynamic Routing Gateway is a virtual router at Oracle's end. It acts as the gateway into your VCN from your on-premises network. After creating a DRG, you must attach it to your VCN and add one or more route rules that direct traffic from the VCN to the DRG. You can detach the DRG from your VCN but maintain all the remaining VPN components. You can then reattach the DRG or attach it to another VCN.

IPSec Connection

After creating the CPE object and DRG, connect them by creating an IPSec connection, which results in multiple redundant IPSec tunnels. It's best practice to configure your on-premises router to support all the tunnels in case one fails.

Access Control for the Components

You can configure access control by specifying the compartment where you want each of the components to reside. Alternatively, you can put all the components in the same compartment as the VCN.

Component Names and Identifiers

Optionally, assign a descriptive name to each component when you create them.

Static Routes

When creating the IPSec connection for your VPN, specify one or more static routes for the network that needs to communicate with the VCN.

How to Set Up an IPSec VPN

You can create the components using either the Console or the API.

  • Create your VCN.
  • Create a DRG.
  • Attach the DRG to your VCN.
  • Create a route table and route rule for the DRG.
  • Create a security list and required rules.
  • Create a subnet in the VCN.
  • Create a CPE object and provide your router's public IP address.
  • From your DRG, create an IPSec connection to the CPE object and provide your static routes.
  • Configure your CPE, including general information about the VCN and specific information for each IPSec tunnel.
  • Validate the connection.
Copyrights © 27 July 2024 All Rights Reserved by Vast Edge Inc.