Let’s IPSec VPN – How to connect your Unifi Security Gateway to Oracle Cloud Infrastructure
When I connect from home to the Oracle Cloud Infrastructure normally I used a Bastion Host, an Open VPN compute instance or Public IPs. Some of the cool stuff like MV2OCI (which transfers data from on-premises to OCI) or integration of an ADB instance in my local running Oracle Enterprise Manager are referred to direct cloud connections. A SSH reverse tunnel works fine, but this cannot be a permanent solution for my lab environment.
At home I have an Unifi Security Gateway (USG) up an running at home. This gateway has the capability, to create site-to-site VPN connections. Good: The Oracle Cloud Infrastruicture VPN service is for free, and I don’t expect over 10 TB outbound traffic. Time to create a VPN setup from home to OCI. Take care about the USG, it needs a “direct” internet contact, this is why my FTTH modem is configured in bridge mode on port 4. Small hint: If your modem is not bridged, ask your internet provider. Here in Switzerland, almost all internet providers support this function.
Architecture
Click on the image for a larger view.
Prerequisites
- Unifi Security Gateway Public IP – visible in the USG web interface or on webpage (search term: what’s my IP)
- Oracle Cloud Infrastructure network setup according the setup guide
- Knowledge about IPSec details which are used by OCI and as described in the setup guide: Key Exchange Version (IKEv1), Encryption (AES-256), Hash (SHA-1), DH Group (5)
- VCN and local network ranges
- The IPSec endpoint IP addresses and the secrets
Oracle Cloud Infrastructure IPSec Setup
My Oracle Cloud infrastructure network is configured 1:1 as described in the manual Setting Up VPN Connect: https://docs.cloud.oracle.com/en-en/iaas/Content/Network/Tasks/settingupIPsec.htm. Here in the IPSec connection you can see the endpoint IPs, the IPSec status is actually shown as down. The secrets are provided in the detail view.
Unifi Security Gateway Setup
Here you find the details of the USG site-to-site configuration: https://help.ui.com/hc/en-us/articles/360002668854#3. Create a new network in Settings – Networks.
Oracle Cloud Infrastructure Settings
| VPN Type | Manual IPsec |
| Enabled | Checkbox activated |
| Route Distance | 30 |
| Peer IP | OCI VPN endpoint IP |
| Local WAN IP | Local public address of the USG |
| Pre-Shared Key | OCI IPsec tunnel secret |
| IPsec Profile | Customized |
| Key Exchange Version | IKEv1 |
| Encryption | AES-256 |
| Hash | SHA1 |
| DG Group | 5 |
| PFS | Checkbox activated |
| Dynamic Routing | Checkbox activated |
Network Configuration
Oracle Cloud Infrastructure IPSec Status Update
After about two minutes, the OCI tunnel status turns into green. The VPN tunnel is now ready to use.
Unifi Security Gateway Routing
To be sure that local connections to instances running in the Oracle Cloud Infrastructure private subnet are working properly, we need a routing entry in the USG. Create a new routing entry in Settings – Routing & Firewall.
Routing Settings
| Enabled | Checkbox activated |
| Type | Bullet activated |
| Destination Network | CIDR of the OCI VCN network / subnet |
| Local WAN IP | Local public address of the USG |
| Static Route Type: | Interface |
| Interface | Select interface created above, in my case OCI – Tunnel 1 |
Connection Verification
For testing purposes, I have created a compute instance in the OCI private subnet with IP 172.16.0.2, no public access – works!
A quick Bandwith Test
I am using iperf for this small test between my Windows client and the OCI compute instance. It’s not for production, just for the feeling. 68.7 Mbits/sec 🙂
Troubleshooting in USG
The connection can be verified when logged in as administrator in the Unifi Security Gateway as user ubnt / admin. Link to the documentation: https://help.ui.com/hc/en-us/articles/360002668854-UniFi-UDM-USG-Verifying-and-Troubleshooting-IPsec-VPNs
Show the current VPN configuration
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
$ sudo swanctl --list-conns peer-140.238.123.456-tunnel-vti: local: 139.178.78.910 remote: 140.238.123.456 local pre-shared key authentication: id: 139.178.78.910 remote pre-shared key authentication: id: 140.238.123.456 peer-140.238.123.456-tunnel-vti: TUNNEL local: 0.0.0.0/0 remote: 0.0.0.0/0 remote-access: IKEv1 local: 139.178.78.910 remote: %any local pre-shared key authentication: id: 139.178.78.910 remote pre-shared key authentication: remote-access: TRANSPORT local: dynamic[udp/l2f] |
Follow the Logfile
|
1 2 3 4 5 6 7 8 9 |
$ sudo swanctl --log 08[NET] received packet: from 152.67.12.34[500] to 139.178.78.910[500] (92 bytes) 08[ENC] parsed INFORMATIONAL_V1 request 1450492415 [ HASH N(DPD) ] 08[ENC] generating INFORMATIONAL_V1 request 3141172786 [ HASH N(DPD_ACK) ] 08[NET] sending packet: from 139.178.78.910[500] to 152.67.12.34[500] (92 bytes) 14[NET] received packet: from 152.67.12.34[500] to 139.178.78.910[500] (92 bytes) 14[ENC] parsed INFORMATIONAL_V1 request 2294336399 [ HASH N(DPD) ] 14[ENC] generating INFORMATIONAL_V1 request 1226471776 [ HASH N(DPD_ACK) ] 14[NET] sending packet: from 139.178.78.910[500] to 152.67.12.34[500] (92 bytes) |
Troubleshooting in Oracle Cloud Infrastructure
There is a small document available to verify the basic configuration, maybe in future some log access will be provided. In a past project where we had VPN connection issues with a Fortigate firewall, I had a good experience with the guys from My Oracle Support.
Link: https://docs.cloud.oracle.com/en-us/iaas/Content/Network/Troubleshoot/ipsectroubleshoot.htm
Summary
Finally I have a stable VPN connection to Oracle Cloud Infrastructure for free. If all requirements are met, the configuration can be done in a few minutes. Next steps: Activation of the second tunnel to get VPN redundancy, enable notifications when a IPsec tunnel is down and some other Oracle Enterprise Manager 13c monitoring stuff. The weather conditions in Switzerland are bad for the next days, so there is enough time in the evenings to do further research.
#freedom #network #together #doer #curiosity
