Let’s understand what is the meaning of site-to-site VPN? So there are some old names of this particular service. So if you hear VPN Connect or IPsec VPN, these are the old names of site-to-site VPN connection.
What does this site-to-site VPN connection do? It provides an IPsec connection between on-premise environment and Virtual Cloud Network. So if you have an on premise environment, along with your your Virtual Cloud Network. So you can have a DRG, Dynamic Routing Gateway, and a customer premises equipment over here. So using these you can have IPsec connection that is established between the on-premise network and the Virtual Cloud Network.
Now, what is the meaning of this IPsec connection? This typically represents that the IP packets are going to be encrypted before they are transferred and decrypt when it arrives. So that is what is your IPsec protocol. Now remember, this communication, this happens over the internet. So the traffic traverses over the public internet, but it’s an encrypted connection.
Now, let’s look at the two modes of an IPsec connection. So it has two modes. The first mode is transport mode. And the second mode is tunnel mode.
Now, before you understand this, you have to understand, what is the difference between a header and a payload? Now, header, simply think of it like an envelope or the box. And this payload, think of it like the content or the data. So this header contains information about the packet, things like origin IP, destination IP. But the actual data, or the content, is what is your payload. So two things, header and payload.
Now, if you understand this, you will easily be able to understand transport mode. Because in case of transport mode, the header, it stays intact. And the IPsec protocol, that is going to encrypt only the actual payload. So this is what happens in your transport mode. Now, in case of tunnel mode, it’s going to encrypt and authenticate the entire packet.
And when I say entire packet, it includes both header and the payload. So why is this important? This is important because OCI supports tunnel mode. So the tunnel mode is supported by Oracle.
So now, let’s talk about, what are the advantages of site-to-site VPN connection?
The first advantage is it is cost effective. I already mentioned that the communication traverses through public internet, which means there is no need for dedicated lease lines. So it is not required. And hence, it is cost effective. The second advantage is it is quick to set up. Usually, if you would like to conduct a POC, you can very quickly set up a site-to-site VPN connection.
The third benefit is that the communication is encrypted. And whenever you create a site-to-site VPN connection, so each connection will have two tunnels. So tunnel one, tunnel two.
So basically, there are two redundant tunnels. And when you are configuring a site-to-site VPN connection, you have different choices with respect to the routing types. You can use static routing or you can use dynamic routing, which uses your BGP. And then there is also support for policy-based routing. So keep in mind that the routing is configured per tunnel because there are two tunnels. And the recommendation from Oracle is that if there are two tunnels, you have to use– or you have to configure the same routing type.
OK, so now, let’s look at the components of site-to-site VPN. So you have your on-premises environment. Then OCI region. Inside a region, you have a Virtual Cloud Network. You will create a dynamic routing gateway. And the dynamic routing gateway is attached to a VCN. Now, on the on-premise side, there is a customer premise equipment. And everything is running over the internet.
So what is CPE. And I will very specifically talk about the CPE object. When you create a site-to-site VPN connection, you need to provide CPE object, you need to provide the dynamic routing gateway. Actually, on premises side, this customer premises equipment can be either software based or hardware based.
Actually, the customer premises equipment lies on the on-prem site. But when we are creating a site-to-site VPN connection on the OCI side, then you need to provide a virtual representation of this particular device. And that virtual representation is your CPE object. So virtual representation of customer premises equipment, which actually is on the on-prem side. But we are creating this object on the OCI side.
Now, this customer premises equipment, it will have a public IP address. And this public IP address can have up to eight IPsec connections. Now, what is your IPsec connection? When you would like to create a site-to-site VPN connection, you create an IPsec connection. And when you create an IPsec connection, it basically connects the CPE object to the dynamic routing gateway on the OCI side.
So it basically represents a site-to-site VPN connection. I also mentioned that one connection is going to have two tunnels. And this is for redundancy purposes. Now, each tunnel is going to have some configuration information. For example, it is going to have a public IP address. It’s also going to contain a shared secret.
Now, when you are configuring your customer premises equipment on the on-prem side, you require this configuration information. And sometimes, what might happen is on the on-prem side, let’s say this is OCI, the CPE device may lie behind a NAT device. And It has a public IP address.
Now, by default, Oracle uses the customer premises equipment’s public IP address. But in case the customer premises equipment is behind the NAT device, you need to change the customer premises equipment internet key exchange identifier. And point it to the customer premises equipment private IP address. So please note that when it comes to internet key exchange, Oracle supports both internet key exchange version one and version two.
Recent Comments