Redundant VPN Connection to Oracle Cloud using BGP

Redundant VPN Connection to Oracle Cloud using BGP

The procedure in this article shows you how you can set up a redundant VPN connection between the Cato Cloud and the Oracle cloud using a BGP.

To set up an IKEv1 BGP connection with Oracle Cloud (OCI):

  1. From the Cato Management Application make sure that your account has two IP addresses that are appropriate to where your OCI Virtual Network resides. Go to Configuration > Global Settings > IP Allocation.

    A screenshot of a cell phone Description automatically generated
  2. Create a new site for the OCI. Make sure that the Native Range is the same as the Oracle Cloud VCN’s range.

    A screenshot of a cell phone Description automatically generated
  3. From the OCI portal, create your VCN if it doesn’t already exist.

    A screenshot of a cell phone Description automatically generated
  4. From the navigation pane, select Virtual Cloud Networks, and click Create Virtual Cloud Network.

    A screenshot of a cell phone Description automatically generated
  5. Give your VCN a name, a range and click Create Virtual Cloud Network.

    A screenshot of a cell phone Description automatically generated
  6. Create two Customer-Premises Equipment objects, one for each of the two CATO PoP IP addresses that you allocated in Step 1.

    A screenshot of a cell phone Description automatically generated
    1. Create the first Customer-Premises Equipment object, and configure it with the IP address for the first PoP.

      A screenshot of a cell phone Description automatically generated
    2. Create the second Customer-Premises Equipment object, and configure it with the IP address for the second PoP.

      A screenshot of a cell phone Description automatically generated

      There are now two Customer-Premises Equipment objects in your VCN.

      A screenshot of a cell phone Description automatically generated
  7. From the left-hand navigation pane, select Dynamic Routing Gateways and click Create a Dynamic Routing Gateway.

    A screenshot of a cell phone Description automatically generated
  8. Enter the Name and click Create Dynamic Routing Gateway.

    A screenshot of a cell phone Description automatically generated
  9. From the left-hand navigation pane, select IPSec Connections, and click Create IPSec Connection.

    You need to create two IPsec Connections.

    A screenshot of a cell phone Description automatically generated
    1. Create an IPSec connection using the first PoP Customer-Premises Equipment object.

      Make sure to enter a Static Toute CIDR near the bottom of the window. This can match the CATO Mobile VPN network (10.41.0.0/16) to keep things simple and uniform.

      Note

      Note: Before clicking Create IPSec Connection, click the Show Advanced Options hyperlink at the bottom of the window.

      A screenshot of a cell phone Description automatically generated
    2. From the Advanced Options >Tunnel 1 tab, configure these settings:

      1. Enter your own custom Shared Secret [32 character limit].

      2. From Routing Type, click the BGP Dynamic Routing option.

      3. In BGP ASN, enter the default CATO ASN of 64515.

      4. Set a CATO inside tunnel interface (CPE) IP address and an Oracle inside tunnel interface IP address.

      5. Click Create IPSec Connection.

        A screenshot of a cell phone Description automatically generated
    3. Repeat the previous two steps above to create the second IPSec connection.

      Make sure to use the second PoP Customer-Premises Equipment object.

      A screenshot of a cell phone Description automatically generated
      A screenshot of a cell phone Description automatically generated

      Your two IPSec connections are in a Lifecycle state of Provisioning and can take up to 15 minutes before they are Available.

      A screenshot of a cell phone Description automatically generated
  10. Save the Oracle Cloud IPSec peer IP addresses for each of the IPSec Connections that you created. You can find these IP addresses when you click on the IPSec connection name to show it’s details.

    Ignore the generically labeled tunnel name in the details screen and only the VPN IP address of the tunnel that you specifically configured and labeled is necessary.

    A screenshot of a cell phone Description automatically generated
  11. From the CATO Management Application, from the navigation pane click Configuration > Sites and select the site for the Oracle VCN.

    1. Expand the IPsec section, set the Service Type to Generic, and make sure that the CATO PoP Peer IPs match the respective Oracle Cloud peer IPs.

      A screenshot of a cell phone Description automatically generated
    2. Make sure that the IP addresses inside the Cato IPsec tunnel the respective Oracle Cloud peer IP addresses. In Private IPs:

      • The IP address in Cato is the same as the IP address in CPE in the Oracle Cloud

      • The IP address in Site is the same as the IP address in Oracle in the Oracle Cloud

      A screenshot of a computer Description automatically generated
    3. Set the Primary and Secondary PSK settings to match the Oracle Cloud’s Shared Secret.

    4. Set your IKEv1 Phase 1 and Phase 2 Parameters to match the settings in the Oracle Cloud.

      In general, you don't need to change the default Cato settings.

      A screenshot of a cell phone Description automatically generated
  12. In the Cato Management Application, configure the BGP Section for the site.

    1. Specify two BGP Neighbors. CATO’s default ASN is already set as 64515. This setting matches what you configured in the Advanced Options in the Oracle IPSec Tunnel configuration.

    2. Set the Oracle ASN (the neighbor) to 31898, and specify the Oracle inside interface IP address as the neighbor. This IP address matches what you defined in the IPSec settings section in step 11 above.

    Note

    Note: Make sure to set a higher Metric value on the BGP neighbor for the PoP further away from your Oracle Region. In the example below, a metric of 101 is applied to the BGP Neighbor associated with the Cato New York PoP.

    A screenshot of a social media post Description automatically generated
  13. Save the settings in the Cato Management Application.

  14. In the Oracle Cloud Portal, wait until your IPSec Connections are Available.

    A screenshot of a cell phone Description automatically generated
  15. You can validate Tunnel and BGP status in both Oracle Cloud and the CATO Management Application.

    • Validating the Oracle Cloud:

      A screenshot of a cell phone Description automatically generated
      A screenshot of a cell phone Description automatically generated
    • Validating the Cato Management Application:

      A screenshot of a computer Description automatically generated
      A screenshot of a computer Description automatically generated
      A screenshot of a computer Description automatically generated
    • Before updating the routes in the Oracle Cloud, first make sure that your Dynamic Routing Gateway is attached to your Oracle Virtual Cloud Network. Click Dynamic Routing Gateways and select your DRG.

      A screenshot of a cell phone Description automatically generated
    • From the navigation pane, click Virtual Cloud Networks.

      A screenshot of a cell phone Description automatically generated
    • Confirm that your DRG is attached to your VCN. If it is not, attach it now.

      A screenshot of a cell phone Description automatically generated
    • Update your routing table to send the appropriate traffic over the IPSec connection.

      The following screenshots shows how to set the default route over the IPSec connection from Oracle to Cato.

      A screenshot of a cell phone Description automatically generated
      A screenshot of a cell phone Description automatically generated
      A screenshot of a cell phone Description automatically generated
      A screenshot of a cell phone Description automatically generated

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment