Thursday, November 17, 2022

IPSec Site-to-Site VPN Demo using Libreswan as CPE on OCI Free Tier

By Gowthami | apps-dba.com | Oracle Cloud Infrastructure Series

Setting up a Site-to-Site VPN between your on-premises network and Oracle Cloud Infrastructure (OCI) is a fundamental step in hybrid cloud architectures. This post demonstrates how to configure an IPSec VPN using Libreswan as the Customer Premises Equipment (CPE) on the OCI Free Tier.

What You Will Learn: How to configure an IPSec Site-to-Site VPN on OCI Free Tier using Libreswan as the CPE, including DRG setup, IPSec connection creation, and Libreswan configuration on a Linux instance.

Architecture Overview

The demo uses the following setup:

  • OCI Side: Dynamic Routing Gateway (DRG), IPSec Connection, VCN with private subnet
  • On-Premises Side (simulated): A separate OCI Free Tier VCN acting as the "on-prem" network, with a Linux instance running Libreswan as the CPE

Step 1: Create the Dynamic Routing Gateway (DRG)

  1. Log in to OCI Console
  2. Navigate to Networking > Dynamic Routing Gateways
  3. Click Create Dynamic Routing Gateway
  4. Provide a name (e.g., demo-drg) and click Create
  5. Once created, attach the DRG to your VCN:
    Select the DRG > Attachments > Create Attachment > Choose your VCN

Step 2: Create the CPE Object

  1. Navigate to Networking > Customer-Premises Equipment
  2. Click Create CPE
  3. Enter the public IP address of your Libreswan instance
  4. Select the CPE vendor as Libreswan for auto-generated config

Step 3: Create the IPSec Connection

  1. Navigate to Networking > Site-to-Site VPN
  2. Click Create IPSec Connection
  3. Select your DRG and CPE object
  4. Enter the on-premises CIDR (e.g., 192.168.1.0/24)
  5. After creation, note the two tunnel IP addresses and the pre-shared keys

Step 4: Configure Libreswan on the Linux Instance

Install Libreswan on your CPE Linux instance:

$ sudo yum install libreswan -y   # Oracle Linux / RHEL
$ sudo apt install libreswan -y   # Ubuntu/Debian

Create the IPSec configuration file:

$ sudo vi /etc/ipsec.d/oci-vpn.conf

Add the following configuration (replace values with your tunnel details):

conn oci-tunnel-1
  left=%defaultroute
  leftid=<CPE_PUBLIC_IP>
  right=<OCI_TUNNEL_IP>
  authby=secret
  auto=start
  type=tunnel
  leftsubnet=192.168.1.0/24
  rightsubnet=10.0.0.0/16
  ike=aes256-sha2_256;dh14
  phase2alg=aes256-sha2_256;dh14
  keyingtries=%forever

Create the secrets file:

$ sudo vi /etc/ipsec.d/oci-vpn.secrets
<CPE_PUBLIC_IP> <OCI_TUNNEL_IP> : PSK "<PRE_SHARED_KEY>"

Step 5: Start and Verify the VPN

$ sudo systemctl start ipsec
$ sudo systemctl enable ipsec
$ sudo ipsec status

Verify tunnel status in OCI Console under Site-to-Site VPN > IPSec Connection > Tunnels. Both tunnels should show as UP.

Troubleshooting Tips

  • Check security list rules — allow UDP 500 and UDP 4500 on the CPE instance
  • Verify route table has a route sending on-prem CIDR traffic to the DRG
  • Use sudo ipsec whack --status for detailed tunnel state
  • Review /var/log/pluto.log for IKE negotiation errors

Master Oracle Exadata

This post is part of our Oracle Cloud Infrastructure series. Get our comprehensive Exadata guide with architecture diagrams, performance tuning, and real-world OCI deployment patterns.

Get the Exadata PDF Guide
on
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)