As per some recent industry studies, several customers open up firewalls to access their cloud platform without following the proper security policies and procedures. This exposes businesses to high risks, and we have seen some companies unable to recover or take several years to recover from such security attacks. Applying intrusion detection and prevention rules without having the basics of security in place increases your security maintenance costs.
Since 2004, Vast Edge has been assisting companies to effectively secure their businesses by following security policies and procedures using proven industry standard tools and methods.
Vast Edge recommends using a combination of IPSec (Internet Protocol Security) and Dynamic VPN to ensure secure data transfer by encrypting the entire IP traffic before the packets are transferred from the source to the destination. In this discussion, we will cover how to securely connect your on-premise network with your Oracle cloud network using IPSec.
1. It uses telecommunication lines to transmit data, so dedicated, expensive lease lines from one site to another aren't necessary.
2. The internal IP addresses of the participating networks and nodes are hidden from external users.
3. The entire communication between the source and destination sites is encrypted.
1. Oracle Cloud Infrastructure supports only the tunnel mode for IPSec VPNs.
2. To configure the IPSec you should have appropriate permissions.
3. Border Gateway Protocol (BGP) is not supported for the Oracle IPSec VPN.
4. After you set up the IPSec VPN, you can't edit or expand the list of static routes associated with the tunnels. To change the static routes would require you to delete the IPSec connection, re-create it, and then reconfigure your router.
5. Oracle uses asymmetric routing across the multiple tunnels that make up the IPSec VPN connection. Even if you configure one tunnel as primary and another as a backup, traffic from your VCN to your on-premises network can use any tunnel that is "up" on your device. Configure your firewalls accordingly. Otherwise, ping tests or application traffic across the connection will not reliably work.
You will need to create the following Networking components to configure IPSec. You can create the components with either the Console or the API.
The CPE Object is nothing but a virtual representation of your actual router in your on-premises network (whether hardware or software). The CPE object contains basic information about your router like IP address etc.
Dynamic Routing Gateway (DRG)
Dynamic routing gateway is a virtual router at Oracle's end. It acts as the gateway into your VCN from your on-premises network. After creating a DRG, you must attach it to your VCN and add one or more route rules that route traffic from the VCN to the DRG. You can detach the DRG from your VCN but maintain all the remaining VPN components. You can then reattach the DRG, or attach it to another VCN.
After creating the CPE object and DRG, you connect them by creating an IPSec connection, which results in multiple redundant IPSec tunnels. It's best practice to configure your on-premises router to support all the tunnels in case one fails.
Access Control for the Components
You can also configure access control by specifying the compartment where you want each of the components to reside. Otherwise, you can put all the components in the same compartment as the VCN.
Component Names and Identifiers
You can optionally assign a descriptive name to each of the components when you create them.
When you create the IPSec connection for your VPN, you must specify one or more static routes for the network that needs to communicate with VCN.
How to Setup an IPSec VPN
You can create the components with either the Console or the API.
1. Create your VCN.
2. Create a DRG.
3. Attach the DRG to your VCN.
4. Create a route table and route rule for the DRG.
5. Create a security list and required rules.
6. Create a subnet in the VCN.
7. Create a CPE object and provide your router's public IP address.
8. From your DRG, create an IPSec connection to the CPE object and provide your static routes.
9. You also need to configure your CPE. It includes configuring general information about the VCN, and specific information for each IPSec tunnel.
10. Validate the connection.