We’re pleased to announce the general availability of multiple encryption domain support for internet protocol security (IPSec) virtual private networks (VPNs) in Oracle Cloud Infrastructure (OCI) in all commercial regions, excluding Tokyo, Seoul, Mumbai, Jeddah, Melbourne, San Jose, Dubai, Newport, and Santiago. These remaining regions are enabled by the end of May 2021. With this enhancement, you can now specify multiple pairs of source and destination CIDRs for encryption when using a policy-based IPSec VPN implementation with the Oracle Cloud Infrastructure VPN service.
The IPSec protocol uses security associations (SAs) to decide how to encrypt or decrypt specific traffic. For each SA, a defined encryption domain maps interesting traffic based on a packet’s source and destination IP address. In other words, the source and destination IP addresses on both ends of the tunnel are encrypted and forwarded to the IPSec peer on the other side. The encryption domain must match on both sides to successfully negotiate an IPSec VPN tunnel.
Customers using legacy, policy-based VPN devices might not be able to use a route-based IPSec VPN with a single encryption domain. They might require multiple, discontiguous on-premises networks to forward interesting traffic across the VPN tunnel to resources in Oracle Cloud.
With the multiple encryption domain enhancement for policy-based VPN, customers can now define multiple on-premises and Oracle Cloud CIDRs in OCI to match a multiple encryption domain IPSec VPN configuration on their customer-premises equipment (CPE). This system provides customers with improved interoperability with policy-based VPNs and more flexibility in defining specific interesting traffic for their VPN tunnel. They don’t need to summarize their policy encryption domains into a less specific single entry or use a route-based VPN. For more information on this concept and how it pertains to OCI, see Supported Encryption Domain or Proxy ID.
If you created your IPSec Connection from November 2020 onwards, you can likely edit your existing tunnels in your IPSec connection to use policy-based VPN by selecting the policy-based option. All your previously configured settings, such as pre-shared keys, IKE version, and Oracle VPN IP addresses, remain the same. You also need to configure IPSec on your CPE to match the new policy-based configuration.
If you don’t see an option to change your tunnel to policy-based, create a new IPSec Connection to use a policy-based VPN. You also have to reconfigure your preshared keys, IKE version, and other IPSec connection-related settings for this connection. Both tunnels in the IPSec Connection will also have new Oracle VPN IP addresses. Configure IPSec on your CPE to match the new policy-based configuration and update the IPSec peer IP address on your CPE to match the new Oracle VPN IP address for each tunnel.
Open the navigation menu in the OCI Console, go to Networking, and click VPN Connections.
Create an IPSec Connection. Click Show Advanced Options and select Policy Based Routing as the routing type for your tunnels.
Input on-premises and Oracle Cloud CIDRs.
Under Associations input all on-premises and Oracle Cloud CIDRs that need to communicate over the VPN tunnel. You can provide multiple on-premises and Oracle Cloud CIDRs.
That’s it for configuring multiple encryption domains! After selecting all your other IPSec VPN options, you can click Create IPSec Connection. When the IPSec connection has been provisioned, configure your CPE. For more info on how to configure your CPE, see Verified CPE Devices for CPE configuration guides or use the CPE Configuration Helper tool.
Thank you for your interest in multiple encryption domain support for policy-based IPSec VPNs in OCI. This blog details how a policy-based IPSec VPN is configured in Oracle Cloud Infrastructure. You need to make similar changes on the CPE to enable successful communication between on-premises and Oracle Cloud. We encourage you to read more about this feature in the available documentation and provide any product feedback that you have in the comments.