Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Connectivity i psec_vpn_200

89 views

Published on

In this course, you will learn how to securely connect to your virtual cloud network using IPsec VPN, and explore best practices to design a redundant and highly available IPsec VPN connection with OCI.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Connectivity i psec_vpn_200

  1. 1. 1Copyright © 2018, Oracle and/or its affiliates. All rights reserved.Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Connectivity – IPsec VPN Level 200 Jamal Arif November 2018
  2. 2. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. 3. 3Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Objectives After completing this lesson, you should be able to: • Describe key IPSec VPN Connectivity Options • Describe IPsec VPN and its concepts • Describe IPsec VPN workflow • Evaluate typical IPsec VPN Network scenarios • AWS and OCI VPN Connectivity • Pre-requisites: Connectivity – Level 100
  4. 4. 4Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Connectivity options Public Internet • Reserved IPs • Ephemeral IPs • Internet Data out Pricing (first 10TB free) IPsec VPN • IPsec authentication and encryption • Two main options • OCI managed VPN Service (free) • Software VPN (running on OCI Compute) FastConnect • Private dedicated Connection • Consistent network experience • Port speeds of 1 Gbps, 10 Gbps • SLA
  5. 5. 5Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Connectivity to on-premises network planning Connecting your virtual cloud network (VCN) to your on-premises network requires certain design considerations • What kind of Bandwidth/throughput your application requires? • Is your application Latency sensitive? • Are you planning to provide Redundancy to your on-premises connectivity and avoid single point of failure? • Do you require a secure and private dedicated connection or a public connection over the internet ? • Do you see your services growing, and plan to dynamically scale up your application bandwidth needs?
  6. 6. 6Copyright © 2018, Oracle and/or its affiliates. All rights reserved. VPN Basics • Tunnel – a way to deliver packets through the internet to private RFC 1918 addresses • Authentication – provides a mechanism to authenticate who you are • Encryption – packets need to be encrypted, so they cannot be sniffed over the public internet • Static routing: configure a router to send traffic for particular destinations in preconfigured directions • Dynamic routing: use a routing protocol such as BGP to figure out what paths traffic should take VPN Connection Private Network 1 Private Network 2 Tunnel VPN Router Internet VPN Router VPN – using a public network to make end to end connection between two private networks in a secure fashion
  7. 7. 7Copyright © 2018, Oracle and/or its affiliates. All rights reserved. IPsec VPN • IPsec VPN is a managed VPN service which securely connects on-premises network to OCI VCN through an IPsec VPN connection • IPsec VPN ensure secure remote connectivity • Bandwidth is dependent on the customer’s access to the Internet and general Internet congestion (Typically less than 250 Mbps – but your mileage may vary) • VPN Service is offered for free • Customer Proof of Concepts usually start as a VPN and then morph into FastConnect designs • OCI provisions redundant VPN tunnels located on physically and logically isolate tunnel endpoints CUSTOMER DATA CENTER ORACLE CLOUD DATA CENTER REGION VCN, 10.0.0.0/16 AVAILABILITY DOMAIN-2 SUBNET B, 10.0.2.0/24 Custom Route Table
  8. 8. 8Copyright © 2018, Oracle and/or its affiliates. All rights reserved. OCI VPN Concepts • Dynamic Routing Gateway - VPN headend at OCI end of the IPsec VPN • Customer Premise Equipment (CPE) • Actual VPN router in your on-premises network (hardware or software) • When setting up the VPN, you create a virtual representation of your on-premises router, which is known as CPE object • To Create a CPE Object – Name, Outside Public IP address • IPsec Connection • After creating the CPE object and DRG, you connect them by creating an IPsec connection, which results in multiple redundant IPsec tunnels • While creating an IPsec connection, static routes are added • The static routes can’t be modified after an IPsec connection has been created
  9. 9. 9Copyright © 2018, Oracle and/or its affiliates. All rights reserved. ORACLE CLOUD DATA CENTER REGION Internet OCI VPN - Workflow On-Premises Network 10.0.0.0/16 CPE, 142.32.45.56 VCN, 172.16.0.0/16 Route Table 10.0.0.0/16  DRG Static Route 0.0.0.0/0 Subnet A 172.16.0.0/24
  10. 10. 10Copyright © 2018, Oracle and/or its affiliates. All rights reserved. OCI VPN – Example (POC Environment) • Create a Virtual Cloud Network (VCN) • Create a Dynamic Routing Gateway (DRG) • Attach DRG to your VCN • Update VCN Router to route traffic to DRG • Create a CPE Object and add on-premises router Public IP address • From DRG, Create an IPsec Connection between CPE and DRG and provide a Static Route • Configure on-premises CPE Router
  11. 11. 11Copyright © 2018, Oracle and/or its affiliates. All rights reserved. OCI VPN Configuration Examples Single-Site ORACLE CLOUD DATA CENTER REGION VCN, 172.16.0.0/16 Route Table 10.0.0.0/16  DRG On-Premises Network 10.0.0.0/16 CPE Static Routes 10.0.0.0/16 0.0.0.0/0 Subnet A 172.16.0.0/24
  12. 12. 12Copyright © 2018, Oracle and/or its affiliates. All rights reserved. OCI VPN Configuration Examples Multi-Site ORACLE CLOUD DATA CENTER REGION VCN, 172.16.0.0/16 Route Table 10.0.0.0/16  DRG 10.10.0.0/16  DRG 10.20.0.0/16  DRG 10.30.0.0/16  DRG On-Premises Network 10.0.0.0/16 Chicago CPE Static Routes 10.0.0.0/16 On-Premises Network 10.10.0.0/16 Los Angles On-Premises Network 10.20.0.0/16 New York On-Premises Network 10.30.0.0/16 Seattle Static Routes 10.10.0.0/16 Static Routes 10.20.0.0/16 Static Routes 10.30.0.0/16 CPE CPE CPE
  13. 13. 13Copyright © 2018, Oracle and/or its affiliates. All rights reserved. IPSec VPN – Multisite HA scenarios • If your data centers span multiple geographical locations, we recommend using a broad CIDR (0.0.0.0/0) as a static route in addition to the CIDR of the specific geographical location. • This broad CIDR provides high availability and flexibility to your network design. • Each IPSec VPN connection has two static routes: one for the CIDR of the particular geographical area, and a broad 0.0.0.0/0 static route.
  14. 14. 14Copyright © 2018, Oracle and/or its affiliates. All rights reserved. IPSec VPN – Multisite HA scenarios • If the CPE 1 router goes down, If Subnet 1 and Subnet 2 can communicate with each other, the VCN is still able to access the systems in Subnet 1 because of the 0.0.0.0/0 static route that goes to CPE 2
  15. 15. 15Copyright © 2018, Oracle and/or its affiliates. All rights reserved. IPSec VPN – Multisite HA scenarios • If you add a new geographical area with Subnet 3 and connect it to Subnet 2. You would add a route rule to your VCN’s route table for Subnet 3 so that the VCN can reach systems in Subnet 3 without creating a new VPN connection because of the 0.0.0.0/0 static route that goes to CPE 2
  16. 16. 16Copyright © 2018, Oracle and/or its affiliates. All rights reserved. ORACLE CLOUD INFRASTRUCTURE (REGION) Availability Domain 3 Availability Domain 1 Availability Domain 2 Subnet A 10.0.30.0/24 Subnet B 10.0.40.0/24 Subnet C 10.0.50.0/24 Transit POP Transit POP CPE OCI VPN Redundancy Models (Single CPE) IPsec Connection
  17. 17. 17Copyright © 2018, Oracle and/or its affiliates. All rights reserved. ORACLE CLOUD INFRASTRUCTURE (REGION) Availability Domain 3 Availability Domain 1 Availability Domain 2 Subnet A 10.0.30.0/24 Subnet B 10.0.40.0/24 Subnet C 10.0.50.0/24 Transit POP Transit POP OCI VPN Redundancy Models (Multiple CPE)
  18. 18. 18Copyright © 2018, Oracle and/or its affiliates. All rights reserved. IPsec VPN
  19. 19. 19Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Example Config: Cisco ASA/ASAv VTI Source: Cisco ASA/ASAv Whitepaper
  20. 20. 20Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Typical Networking Scenarios • Following are the typical networking scenarios • Public Subnet • Private Subnet with VPN • Public and Private Subnets with a VPN
  21. 21. 21Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Public Subnet • Create a VCN, provide a CIDR range • Create an Internet Gateway • Create a Route Rule with traffic to Internet Gateway (for all IP addresses, 0.0.0.0/0) • Create Security List rules that allow the traffic (and each instance's firewall must allow the traffic) • Create a Public Subnet within a specific AD with the Route Table and Security List • Create an instance with a public IP address within the Subnet
  22. 22. 22Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Private Subnet with a VPN • Create a VCN, provide a CIDR range • Create a Dynamic Routing Gateway (DRG); attach it to the VCN • Create a new Route Table so its default route is directed toward DRG and thus to the VPN • Create a Route Rule with traffic to DRG - add a CIDR block of 0.0.0.0/0 (all non-intra-VCN traffic that is not already covered by other rules in the route table will go to the DRG) • Create Security List rules that allow the traffic (e.g. port 1521 for Oracle databases) • Create a Private Subnet within a specific AD with the Route Table and Security List • Similar example can also use OCI Fast Connect Service
  23. 23. 23Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Public & Private Subnets with VPN
  24. 24. 24Copyright © 2018, Oracle and/or its affiliates. All rights reserved. VPN IPsec Connectivity • Customers can have Software VPN between multiple cloud providers • Multiple choices are available when it comes to Software VPN • Customer can run OpenSwan, OpenVPN, Libreswan etc. on either cloud Linux VM and create IPsec tunnels • Customers can spin up Virtual firewalls on either cloud and initiate IPsec tunnel to other cloud • Virtual firewalls are available in market place • Application latency or Bandwidth sensitive? IPsec is not a good choice
  25. 25. 25Copyright © 2018, Oracle and/or its affiliates. All rights reserved. ORACLE CLOUD INFRASTRUCTURE (Ashburn) AWS – OCI Connectivity Using Libreswan VM on AWS* AD 3 AD1 AD 2 Subnet A 10.0.30.0/24 Subnet B 10.0.40.0/24 Subnet C 10.0.50.0/24 virtual private cloud (Ohio East) Availability Zone VPC subnet Libreswan VM IPsec Tunnel Demo available on Confluence (Demo Section)
  26. 26. 26Copyright © 2018, Oracle and/or its affiliates. All rights reserved. AWS – OCI Connectivity Using Libreswan VM on AWS* • Setup VCN on OCI and associate DRG with VCN • Setup a Libreswan VM on AWS VPC • Edit VPC Route table and Security groups/ACL • Setup CPE and IPsec tunnel • Add OCI IPsec tunnel info to AWS Libreswan VM • IPsec tunnel Provisioned
  27. 27. 27Copyright © 2018, Oracle and/or its affiliates. All rights reserved. Summary After completing this lesson, you should have learned how to: • Describe key IPsec VPN Connectivity Options • Describe IPsec VPN and its concepts • Describe IPsec VPN workflow • Evaluate typical IPsec VPN Network scenarios • AWS and OCI VPN Connectivity
  28. 28. 28Copyright © 2018, Oracle and/or its affiliates. All rights reserved. cloud.oracle.com/iaas cloud.oracle.com/tryit

×