In this post we are setting up a tunnel between OCI and AWS following the steps explained here and similar to what we did here.
Follow this post to set up a VPN headend in OCI.
Create a VPC in AWS with one public and one private subnet.
Create a virtual private gateway and attach to the VPC
Create a customer gateway and assign the public IP of the OCI endpoint created in step1.
Create a site to site VPN connection, associate the customer gateway, the virtual private gateway, set the static route of the encryptions domain subnet on the OCI side and leave the rest of the parameters as default.
Create a couple of compute instances, one in the public subnet and the other in the private subnet. Reserve a public IP for the vm in the public subnet and assign to it. Create akeypair for ssh to the public instance.
Create an internet gateway and attach to VPC
Create a route table for the private subnet. Add a rote rule so that the traffic to the subnet in the OCI side goes through the virtual private gateway created previously.
Create a route table for the public subnet with a rule that sends all the traffic trough the internet gateway created previously.
Modify the ipsec.conf and ipsec.secrets with the public ip and encryption domain network of the AWS side following same approach as explained here.
Restart the ipsec service in the OCI side:
Check the status of the tunnel on the OCI side:
[root@left-vpninstance ipsec.d]# ipsec status 000 using kernel interface: netkey … 000 "myvpn": IKE algorithm newest: AES_CBC_256-HMAC_SHA2_256-MODP2048 000 "myvpn": ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup= 000 000 Total IPsec connections: loaded 1, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #3: "myvpn":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2614s; newest ISAKMP; lastdpd=3s(seq in:0 out:0); idle; import:admin initiate 000 #4: "myvpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 27805s; newest IPSEC; eroute owner; isakmp#3; idle; import:admin initiate 000 #4: "myvpn" email@example.com firstname.lastname@example.org email@example.com firstname.lastname@example.org ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 000 000 Bare Shunt list: 000 [root@left-vpninstance ipsec.d]#
Check the tunnel on the AWS side:
ssh to the public instance with the private key and user ec2-user:
When in the public instance, create a file with the private key and ssh to the private instance:
Ping to the private IP of the vpn endpoint in the OCI side:
So far so good, it seems we can reach the OCI side!
Let’s do the same from the OCI side pinging to the AWS side:
Ça y est, le travail est fini! Hope it helps! 🙂
Thanks, this is very helpful but I have a question – is the compute instance in the public subnet just being used for testing purposes? In other words, is it possible to setup an AWS to OCI VPN connection between private subnets without the need for Libreswan or some other compute instance needed for the tunnel termination?
NVM, I see where you are still using libreswan on the Google side in Step one.
Hi, the solution proposed is aimed to solve use cases in which the endpoint doesn’t have the role of initiator, as normally happens with VPN as a service offerings in cloud vendors like Oracle OCI, AWS, Azure, etc..