Establishing a Software VPN Tunnel between OCI and AWS

In this post we are setting up a tunnel between OCI and AWS following the steps explained here and similar to what we did here.

Step 1

Follow this post to set up a VPN headend in OCI.

Step 2

Create a VPC in AWS with one public and one private subnet.

Step 3

Create a virtual private gateway and attach to the VPC

Step 4

Create a customer gateway and assign the public IP of the OCI endpoint created in step1.

Step 5

Create a site to site VPN connection, associate the customer gateway, the virtual private gateway, set the static route of the encryptions domain subnet on the OCI side and leave the rest of the parameters as default.

Step 6

Create a couple of compute instances, one in the public subnet and the other in the private subnet. Reserve a public IP for the vm in the public subnet and assign to it. Create akeypair for ssh to the public instance.

Step 7

Create an internet gateway and attach to VPC

Step 8

Create a route table for the private subnet. Add a rote rule so that the traffic to the subnet in the OCI side goes through the virtual private gateway created previously.

Step 9

Create a route table for the public subnet with a rule that sends all the traffic trough the internet gateway created previously.

Step 10

Modify the ipsec.conf and ipsec.secrets with the public ip and encryption domain network of the AWS side following same approach as explained here.

Restart the ipsec service in the OCI side:

Check the status of the tunnel on the OCI side:

[root@left-vpninstance ipsec.d]# ipsec status
 000 using kernel interface: netkey
 000 "myvpn":   IKE algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP2048
 000 "myvpn":   ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=
 000 Total IPsec connections: loaded 1, active 1
 000 State Information: DDoS cookies not required, Accepting new IKE connections
 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
 000 IPsec SAs: total(1), authenticated(1), anonymous(0)
 000 #3: "myvpn":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2614s; newest ISAKMP; lastdpd=3s(seq in:0 out:0); idle; import:admin initiate
 000 #4: "myvpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27805s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate
 000 #4: "myvpn" esp.9395eeab@ esp.e4b1fd80@ tun.0@ tun.0@ ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 
 000 Bare Shunt list:
 [root@left-vpninstance ipsec.d]# 

Check the tunnel on the AWS side:

Step 11

ssh to the public instance with the private key and user ec2-user:

When in the public instance, create a file with the private key and ssh to the private instance:

Ping to the private IP of the vpn endpoint in the OCI side:

So far so good, it seems we can reach the OCI side!

Let’s do the same from the OCI side pinging to the AWS side:

Ça y est, le travail est fini! Hope it helps! 🙂


  1. Scott Daniels

    Thanks, this is very helpful but I have a question – is the compute instance in the public subnet just being used for testing purposes? In other words, is it possible to setup an AWS to OCI VPN connection between private subnets without the need for Libreswan or some other compute instance needed for the tunnel termination?


      1. javier mugueta

        Hi, the solution proposed is aimed to solve use cases in which the endpoint doesn’t have the role of initiator, as normally happens with VPN as a service offerings in cloud vendors like Oracle OCI, AWS, Azure, etc..


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.