When I connect from home to the Oracle Cloud Infrastructure normally I used a Bastion Host, an Open VPN compute instance or Public IPs. Some of the cool stuff like MV2OCI (which transfers data from on-premises to OCI) or integration of an ADB instance in my local running Oracle Enterprise Manager are referred to direct cloud connections. A SSH reverse tunnel works fine, but this cannot be a permanent solution for my lab environment.
At home I have an Unifi Security Gateway (USG) up an running at home. This gateway has the capability, to create site-to-site VPN connections. Good: The Oracle Cloud Infrastruicture VPN service is for free, and I don’t expect over 10 TB outbound traffic. Time to create a VPN setup from home to OCI. Take care about the USG, it needs a “direct” internet contact, this is why my FTTH modem is configured in bridge mode on port 4. Small hint: If your modem is not bridged, ask your internet provider. Here in Switzerland, almost all internet providers support this function.
Click on the image for a larger view.
- Unifi Security Gateway Public IP – visible in the USG web interface or on webpage (search term: what’s my IP)
- Oracle Cloud Infrastructure network setup according the setup guide
- Knowledge about IPSec details which are used by OCI and as described in the setup guide: Key Exchange Version (IKEv1), Encryption (AES-256), Hash (SHA-1), DH Group (5)
- VCN and local network ranges
- The IPSec endpoint IP addresses and the secrets
Oracle Cloud Infrastructure IPSec Setup
My Oracle Cloud infrastructure network is configured 1:1 as described in the manual Setting Up VPN Connect: https://docs.cloud.oracle.com/en-en/iaas/Content/Network/Tasks/settingupIPsec.htm. Here in the IPSec connection you can see the endpoint IPs, the IPSec status is actually shown as down. The secrets are provided in the detail view.
Unifi Security Gateway Setup
Here you find the details of the USG site-to-site configuration: https://help.ui.com/hc/en-us/articles/360002668854#3. Create a new network in Settings – Networks.
Oracle Cloud Infrastructure Settings
|VPN Type||Manual IPsec|
|Peer IP||OCI VPN endpoint IP|
|Local WAN IP||Local public address of the USG|
|Pre-Shared Key||OCI IPsec tunnel secret|
|Key Exchange Version||IKEv1|
|Dynamic Routing||Checkbox activated|
Oracle Cloud Infrastructure IPSec Status Update
After about two minutes, the OCI tunnel status turns into green. The VPN tunnel is now ready to use.
Unifi Security Gateway Routing
To be sure that local connections to instances running in the Oracle Cloud Infrastructure private subnet are working properly, we need a routing entry in the USG. Create a new routing entry in Settings – Routing & Firewall.
|Destination Network||CIDR of the OCI VCN network / subnet|
|Local WAN IP||Local public address of the USG|
|Static Route Type:||Interface|
|Interface||Select interface created above, in my case OCI – Tunnel 1|
For testing purposes, I have created a compute instance in the OCI private subnet with IP 172.16.0.2, no public access – works!
A quick Bandwith Test
I am using iperf for this small test between my Windows client and the OCI compute instance. It’s not for production, just for the feeling. 68.7 Mbits/sec 🙂
Troubleshooting in USG
The connection can be verified when logged in as administrator in the Unifi Security Gateway as user ubnt / admin. Link to the documentation: https://help.ui.com/hc/en-us/articles/360002668854-UniFi-UDM-USG-Verifying-and-Troubleshooting-IPsec-VPNs
Show the current VPN configuration
$ sudo swanctl --list-conns peer-126.96.36.1996-tunnel-vti: local: 188.8.131.520 remote: 184.108.40.2066 local pre-shared key authentication: id: 220.127.116.110 remote pre-shared key authentication: id: 18.104.22.1686 peer-22.214.171.1246-tunnel-vti: TUNNEL local: 0.0.0.0/0 remote: 0.0.0.0/0 remote-access: IKEv1 local: 126.96.36.1990 remote: %any local pre-shared key authentication: id: 188.8.131.520 remote pre-shared key authentication: remote-access: TRANSPORT local: dynamic[udp/l2f]
Follow the Logfile
$ sudo swanctl --log 08[NET] received packet: from 184.108.40.206 to 220.127.116.110 (92 bytes) 08[ENC] parsed INFORMATIONAL_V1 request 1450492415 [ HASH N(DPD) ] 08[ENC] generating INFORMATIONAL_V1 request 3141172786 [ HASH N(DPD_ACK) ] 08[NET] sending packet: from 18.104.22.1680 to 22.214.171.124 (92 bytes) 14[NET] received packet: from 126.96.36.199 to 188.8.131.520 (92 bytes) 14[ENC] parsed INFORMATIONAL_V1 request 2294336399 [ HASH N(DPD) ] 14[ENC] generating INFORMATIONAL_V1 request 1226471776 [ HASH N(DPD_ACK) ] 14[NET] sending packet: from 184.108.40.2060 to 220.127.116.11 (92 bytes)
Troubleshooting in Oracle Cloud Infrastructure
There is a small document available to verify the basic configuration, maybe in future some log access will be provided. In a past project where we had VPN connection issues with a Fortigate firewall, I had a good experience with the guys from My Oracle Support.
Finally I have a stable VPN connection to Oracle Cloud Infrastructure for free. If all requirements are met, the configuration can be done in a few minutes. Next steps: Activation of the second tunnel to get VPN redundancy, enable notifications when a IPsec tunnel is down and some other Oracle Enterprise Manager 13c monitoring stuff. The weather conditions in Switzerland are bad for the next days, so there is enough time in the evenings to do further research.
#freedom #network #together #doer #curiosity