Skip to main content

IPSec Site-to-Site VPN Demo using Libreswan as CPE on OCI Free Tier

By Gowthami | apps-dba.com | Oracle Cloud Infrastructure Series

Setting up a Site-to-Site VPN between your on-premises network and Oracle Cloud Infrastructure (OCI) is a fundamental step in hybrid cloud architectures. This post demonstrates how to configure an IPSec VPN using Libreswan as the Customer Premises Equipment (CPE) on the OCI Free Tier.

What You Will Learn: How to configure an IPSec Site-to-Site VPN on OCI Free Tier using Libreswan as the CPE, including DRG setup, IPSec connection creation, and Libreswan configuration on a Linux instance.

Architecture Overview

The demo uses the following setup:

  • OCI Side: Dynamic Routing Gateway (DRG), IPSec Connection, VCN with private subnet
  • On-Premises Side (simulated): A separate OCI Free Tier VCN acting as the "on-prem" network, with a Linux instance running Libreswan as the CPE

Step 1: Create the Dynamic Routing Gateway (DRG)

  1. Log in to OCI Console
  2. Navigate to Networking > Dynamic Routing Gateways
  3. Click Create Dynamic Routing Gateway
  4. Provide a name (e.g., demo-drg) and click Create
  5. Once created, attach the DRG to your VCN:
    Select the DRG > Attachments > Create Attachment > Choose your VCN

Step 2: Create the CPE Object

  1. Navigate to Networking > Customer-Premises Equipment
  2. Click Create CPE
  3. Enter the public IP address of your Libreswan instance
  4. Select the CPE vendor as Libreswan for auto-generated config

Step 3: Create the IPSec Connection

  1. Navigate to Networking > Site-to-Site VPN
  2. Click Create IPSec Connection
  3. Select your DRG and CPE object
  4. Enter the on-premises CIDR (e.g., 192.168.1.0/24)
  5. After creation, note the two tunnel IP addresses and the pre-shared keys

Step 4: Configure Libreswan on the Linux Instance

Install Libreswan on your CPE Linux instance:

$ sudo yum install libreswan -y   # Oracle Linux / RHEL
$ sudo apt install libreswan -y   # Ubuntu/Debian

Create the IPSec configuration file:

$ sudo vi /etc/ipsec.d/oci-vpn.conf

Add the following configuration (replace values with your tunnel details):

conn oci-tunnel-1
  left=%defaultroute
  leftid=<CPE_PUBLIC_IP>
  right=<OCI_TUNNEL_IP>
  authby=secret
  auto=start
  type=tunnel
  leftsubnet=192.168.1.0/24
  rightsubnet=10.0.0.0/16
  ike=aes256-sha2_256;dh14
  phase2alg=aes256-sha2_256;dh14
  keyingtries=%forever

Create the secrets file:

$ sudo vi /etc/ipsec.d/oci-vpn.secrets
<CPE_PUBLIC_IP> <OCI_TUNNEL_IP> : PSK "<PRE_SHARED_KEY>"

Step 5: Start and Verify the VPN

$ sudo systemctl start ipsec
$ sudo systemctl enable ipsec
$ sudo ipsec status

Verify tunnel status in OCI Console under Site-to-Site VPN > IPSec Connection > Tunnels. Both tunnels should show as UP.

Troubleshooting Tips

  • Check security list rules — allow UDP 500 and UDP 4500 on the CPE instance
  • Verify route table has a route sending on-prem CIDR traffic to the DRG
  • Use sudo ipsec whack --status for detailed tunnel state
  • Review /var/log/pluto.log for IKE negotiation errors

Master Oracle Exadata

This post is part of our Oracle Cloud Infrastructure series. Get our comprehensive Exadata guide with architecture diagrams, performance tuning, and real-world OCI deployment patterns.

Get the Exadata PDF Guide
Labels:

Comments

Post a Comment

Popular posts from this blog

Data Safe - Introduction

Oracle Data Safe - Practical Guide Oracle Data Safe learner guide Oracle Data Safe Assess risk, discover sensitive data, audit activity, and mask safely It focuses on what Data Safe helps you do operationally: review security posture, find risky identities, centralize auditing, locate sensitive data, and produce safer non-production copies. Contents 01 Why Data Safe matters 02 Where it fits 03 Capability map 04 Assessments 05 Activity Auditing 06 Discovery and Masking 07 Operating model 08 First 30 days 09 Knowledge check Section 01 Why Data Safe matters Database security work is often fragmented. One process checks configuration drift, another stores audit logs, another team scans for PII, and another team writes masking logic for test refreshes. Data Safe is useful because it turns those separate jobs into one security workflow. Key idea The best way to think about Data Safe is as a control plane for database security posture: assess the target, identify risky accounts, d...
Post a Comment
Read more

Testing Different Access Paths : Concatenated Index

Oracle Concatenated Indexes - Practical Deep Dive Oracle concatenated index deep dive Concatenated Indexes How composite indexes really work, why column order matters, and when skip scan changes the story Concatenated indexes, also called composite indexes, are easy to explain badly and surprisingly rich to explain well. The usual summary is “Oracle can use the index only when the leading column is present,” but that is only the starting point. To design them properly, you need to think about leading portions, equality versus range predicates, ordering requirements, skip scan eligibility, covering behavior, and whether one composite index can replace several single-column indexes in a given workload. Contents 01 What concatenated indexes are 02 Leading edge and leading portion 03 Why column order matters 04 Skip scan and when it helps 05 Access patterns and plan reading 06 Covering and sort elimination 07 Design rules that actually hold 08 Common mistakes 09 End-to-end demo 1...
Post a Comment
Read more

Database Replay - Real Application Testing (RAT)

Oracle Database Replay and RAT - Practical Deep Dive Oracle Database Replay deep dive Database Replay and Real Application Testing How to validate upgrades, patches, migrations, and risky changes with real workload behavior Database Replay is one of the most practical risk-reduction tools in the Oracle DBA toolbox. Instead of trusting synthetic benchmarks, isolated SQL tests, or intuition, you capture a real production workload, restore a test system to the same logical starting point, replay that workload, and analyze whether performance, errors, timing, and transactional behavior still look safe. Contents 01 What RAT actually is 02 Why Database Replay matters 03 End-to-end workflow 04 Capture design and prerequisites 05 Preprocess, calibrate, replay 06 Reading the results well 07 Pitfalls and unreplayable work 08 Database Replay vs SPA 09 Practical playbooks 10 Knowledge check Section 01 What Real Application Testing actually is Real Application Testing, usually shortened...
Post a Comment
Read more