Redundant VPN Connection to Oracle Cloud using BGP
The procedure in this article shows you how you can set up a redundant VPN connection between the Cato Cloud and the Oracle cloud using a BGP.
To set up an IKEv1 BGP connection with Oracle Cloud (OCI):
- From the Cato Management Application make sure that your account has two IP addresses that are appropriate to where your OCI Virtual Network resides. Go to Configuration > Global Settings > IP Allocation.
- Create a new site for the OCI. Make sure that the Native Range is the same as the Oracle Cloud VCN’s range.
- From the OCI portal, create your VCN if it doesn’t already exist.
- From the navigation pane, select Virtual Cloud Networks, and click Create Virtual Cloud Network.
- Give your VCN a name, a range and click Create Virtual Cloud Network.
- Create two Customer-Premises Equipment objects, one for each of the two CATO PoP IP addresses that you allocated in Step 1.
- Create the first Customer-Premises Equipment object, and configure it with the IP address for the first PoP.
- Create the second Customer-Premises Equipment object, and configure it with the IP address for the second PoP.
- From the left-hand navigation pane, select Dynamic Routing Gateways and click Create a Dynamic Routing Gateway.
- Enter the Name and click Create Dynamic Routing Gateway.
- From the left-hand navigation pane, select IPSec Connections, and click Create IPSec Connection.
You need to create two IPsec Connections.
- Create an IPSec connection using the first PoP Customer-Premises Equipment object.
Make sure to enter a Static Toute CIDR near the bottom of the window. This can match the CATO Mobile VPN network (10.41.0.0/16) to keep things simple and uniform.
- From the Advanced Options >Tunnel 1 tab, configure these settings:
- Enter your own custom Shared Secret [32 character limit].
- From Routing Type, click the BGP Dynamic Routing option.
- In BGP ASN, enter the default CATO ASN of 64515.
- Set a CATO inside tunnel interface (CPE) IP address and an Oracle inside tunnel interface IP address.
- Click Create IPSec Connection.
- Repeat the previous two steps above to create the second IPSec connection.
Make sure to use the second PoP Customer-Premises Equipment object.
- Save the Oracle Cloud IPSec peer IP addresses for each of the IPSec Connections that you created. You can find these IP addresses when you click on the IPSec connection name to show it’s details.
Ignore the generically labeled tunnel name in the details screen and only the VPN IP address of the tunnel that you specifically configured and labeled is necessary.
- From the CATO Management Application, from the navigation pane click Configuration > Sites and select the site for the Oracle VCN.
- Expand the IPsec section, set the Service Type to Generic, and make sure that the CATO PoP Peer IPs match the respective Oracle Cloud peer IPs.
- Make sure that the IP addresses inside the Cato IPsec tunnel the respective Oracle Cloud peer IP addresses. In Private IPs:
- The IP address in Cato is the same as the IP address in CPE in the Oracle Cloud
- The IP address in Site is the same as the IP address in Oracle in the Oracle Cloud
- Set the Primary and SecondaryPSK settings to match the Oracle Cloud’s Shared Secret.
Set your IKEv1 Phase 1 and Phase 2 Parameters to match the settings in the Oracle Cloud.
In general, you don't need to change the default Cato settings.
- In the Cato Management Application, configure the BGP Section for the site.
- Specify two BGP Neighbors. CATO’s default ASN is already set as 64515. This setting matches what you configured in the Advanced Options in the Oracle IPSec Tunnel configuration.
- Set the Oracle ASN (the neighbor) to 31898, and specify the Oracle inside interface IP address as the neighbor. This IP address matches what you defined in the IPSec settings section in step 11 above.
- Save the settings in the Cato Management Application.
- In the Oracle Cloud Portal, wait until your IPSec Connections are Available.
- You can validate Tunnel and BGP status in both Oracle Cloud and the CATO Management Application
There are now two Customer-Premises Equipment objects in your VCN.
Note: Before clicking Create IPSec Connection, click the Show Advanced Options hyperlink at the bottom of the window.
Your two IPSec connections are in a Lifecycle state of Provisioning and can take up to 15 minutes before they are Available.
Note: Make sure to set a higher Metric value on the BGP neighbor for the PoP further away from your Oracle Region. In the example below, a metric of 101 is applied to the BGP Neighbor associated with the Cato New York PoP.
- Validating the Oracle Cloud:
- Validating the Cato Management Application:
The following screenshots shows how to set the default route over the IPSec connection from Oracle to Cato.