Let’s IPSec VPN – How to connect your Unifi Security Gateway to Oracle Cloud Infrastructure

When I connect from home to the Oracle Cloud Infrastructure normally I used a Bastion Host, an Open VPN compute instance or Public IPs.  Some of the cool stuff like MV2OCI (which transfers data from on-premises to OCI) or integration of an ADB instance in my local running Oracle Enterprise Manager are referred to direct cloud connections. A SSH reverse tunnel works fine, but this cannot be a permanent solution for my lab environment.

At home I have an Unifi Security Gateway (USG) up an running at home. This gateway has the capability, to create site-to-site VPN connections. Good: The Oracle Cloud Infrastruicture VPN service is for free, and I don’t expect over 10 TB outbound traffic. Time to create a VPN setup from home to OCI. Take care about the USG, it needs a “direct” internet contact, this is why my FTTH modem is configured in bridge mode on port 4. Small hint: If your modem is not bridged, ask your internet provider. Here in Switzerland, almost all internet providers support this function.

Architecture

Click on the image for a larger view.

Prerequisites

  • Unifi Security Gateway Public IP – visible in the USG web interface or on webpage (search term: what’s my IP)
  • Oracle Cloud Infrastructure network setup according the setup guide
  • Knowledge about IPSec details which are used by OCI and as described in the setup guide: Key Exchange Version (IKEv1), Encryption (AES-256), Hash (SHA-1), DH Group (5)
  • VCN and local network ranges
  • The IPSec endpoint IP addresses and the secrets

Oracle Cloud Infrastructure IPSec Setup

My Oracle Cloud infrastructure network is configured 1:1 as described in the manual Setting Up VPN Connect: https://docs.cloud.oracle.com/en-en/iaas/Content/Network/Tasks/settingupIPsec.htm. Here in the IPSec connection you can see the endpoint IPs, the IPSec status is actually shown as down. The secrets are provided in the detail view.

Unifi Security Gateway Setup

Here you find the details of the USG site-to-site configuration: https://help.ui.com/hc/en-us/articles/360002668854#3. Create a new network in Settings – Networks.

Oracle Cloud Infrastructure Settings

VPN Type Manual IPsec
Enabled Checkbox activated
Route Distance 30
Peer IP OCI VPN endpoint IP
Local WAN IP Local public address of the USG
Pre-Shared Key OCI IPsec tunnel secret
IPsec Profile Customized
Key Exchange Version IKEv1
Encryption AES-256
Hash SHA1
DG Group 5
PFS Checkbox activated
Dynamic Routing Checkbox activated

 

Network Configuration

Oracle Cloud Infrastructure IPSec Status Update

After about two minutes, the OCI tunnel status turns into green. The VPN tunnel is now ready to use.

Unifi Security Gateway Routing

To be sure that local connections to instances running in the Oracle Cloud Infrastructure private subnet are working properly, we need a routing entry in the USG. Create a new routing entry in Settings – Routing & Firewall.

Routing Settings

Enabled Checkbox activated
Type Bullet activated
Destination Network CIDR of the OCI VCN network / subnet
Local WAN IP Local public address of the USG
Static Route Type: Interface
Interface Select interface created above, in my case OCI – Tunnel 1

 

Connection Verification

For testing purposes, I have created a compute instance in the OCI private subnet with IP 172.16.0.2, no public access – works!

A quick Bandwith Test

I am using iperf for this small test between my Windows client and the OCI compute instance. It’s not for production, just for the feeling. 68.7 Mbits/sec 🙂

Troubleshooting in USG

The connection can be verified when logged in as administrator in the Unifi Security Gateway as user ubnt / admin. Link to the documentation: https://help.ui.com/hc/en-us/articles/360002668854-UniFi-UDM-USG-Verifying-and-Troubleshooting-IPsec-VPNs

Show the current VPN configuration

$ sudo swanctl --list-conns
peer-140.238.123.456-tunnel-vti:
local: 139.178.78.910
remote: 140.238.123.456
local pre-shared key authentication:
id: 139.178.78.910
remote pre-shared key authentication:
id: 140.238.123.456
peer-140.238.123.456-tunnel-vti: TUNNEL
local: 0.0.0.0/0
remote: 0.0.0.0/0
remote-access: IKEv1
local: 139.178.78.910
remote: %any
local pre-shared key authentication:
id: 139.178.78.910
remote pre-shared key authentication:
remote-access: TRANSPORT
local: dynamic[udp/l2f]

Follow the Logfile

$ sudo swanctl --log
08[NET] received packet: from 152.67.12.34[500] to 139.178.78.910[500] (92 bytes)
08[ENC] parsed INFORMATIONAL_V1 request 1450492415 [ HASH N(DPD) ]
08[ENC] generating INFORMATIONAL_V1 request 3141172786 [ HASH N(DPD_ACK) ]
08[NET] sending packet: from 139.178.78.910[500] to 152.67.12.34[500] (92 bytes)
14[NET] received packet: from 152.67.12.34[500] to 139.178.78.910[500] (92 bytes)
14[ENC] parsed INFORMATIONAL_V1 request 2294336399 [ HASH N(DPD) ]
14[ENC] generating INFORMATIONAL_V1 request 1226471776 [ HASH N(DPD_ACK) ]
14[NET] sending packet: from 139.178.78.910[500] to 152.67.12.34[500] (92 bytes)

Troubleshooting in Oracle Cloud Infrastructure

There is a small document available to verify the basic configuration, maybe in future some log access will be provided. In a past project where we had VPN connection issues with a Fortigate firewall, I had a good experience with the guys from My Oracle Support.

Link: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Troubleshoot/ipsectroubleshoot.htm

Summary

Finally I have a stable VPN connection to Oracle Cloud Infrastructure for free. If all requirements are met, the configuration can be done in a few minutes. Next steps: Activation of the second tunnel to get VPN redundancy, enable notifications when a IPsec tunnel is down and some other Oracle Enterprise Manager 13c monitoring stuff. The weather conditions in Switzerland are bad for the next days, so there is enough time in the evenings to do further research.

#freedom #network #together #doer #curiosity