Aviatrix Gateway to Oracle DRG

This document describes how to configure an IPsec tunnel between an Aviatrix Gateway and an Oracle Dynamic Routing Gateway (DRG).

gw2drg

Deployment

For this use case, we will create an IPsec connection from DRG first and then configure a Site2Cloud connection at the Aviatrix Controller.

Creating an IPsec Connection from DRG

Prerequisites

  1. You have a DRG created and attached to a VCN.

  2. You have an Aviatrix Gateway provisioned in a VPC/VNet. You will need this gateway’s public IP address and its VPC/VNet CIDR for the steps below.

  1. Log in to your Oracle Cloud Console and create a route rule for the DRG.

    We need to modify the desired route table and create a route rule to take any traffic destined for the Aviatrix Gateway’s VPC/VNet CIDR and route it to the DRG.

    1. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

    2. Click your VCN.

    3. Select the desired route table(s) for your VCN.

    4. Click Edit Route Rules.

    5. Create a new route rule as following and save it.

      Field Description

      Target Type

      Dynamic Route Gateway

      Destination CIDR Block

      Aviatrix GW’s VPC/VNet CIDR (172.19.0.0/16 in this example)

      Target Dynamic Routing Gateway

      Select the desired existing DRG

    vcn_route_table
  2. Log in to your Oracle Cloud Console and create security rules.

    We will edit the security list associated with your VCN subnets. We need to add two new rules: one ingress rule for traffic coming from the Aviatrix Gateway’s VPC/VNet and one egress rule for traffic destinating to the Aviatrix Gateway’s VPC/VNet.

    1. Under Core Infrastructure, go to Networking and click Virtual Cloud Networks.

    2. Click your VCN.

    3. Select the desired security list(s) associated with your subnets.

    4. Click Edit All Rules.

    5. In Allowed Rule for Ingress section, enter the following values to create a rule to allow incoming traffic from Aviatrix Gateway’s VPC/VNet.

      Field Description

      Source Type

      CIDR

      Source CIDR

      Aviatrix GW’s VPC/VNet CIDR (172.19.0.0/16 in this example)

      IP Protocols

      All Protocols

      vcn-security-rule-ingress
    6. In Allowed Rule for Egress section, enter the following values to create a rule to allow outgoing traffic to the Aviatrix Gateway’s VPC/VNet.

      Field Description

      Destination Type

      CIDR

      Destination CIDR

      Aviatrix GW’s VPC/VNet CIDR (172.19.0.0/16 in this example)

      IP Protocols

      All Protocols

      vcn-security-rule-egress
  3. Create a CPE object.

    In this task, we create the CPE object, which is a logical representation of the Aviatrix Gateway.

    1. Under Core Infrastructure, go to Networking and click Customer-Premises Equipment.

    2. Click Create Customer-Premises Equipment.

    3. Enter the following values and click Create.

      Field Description

      Create in Compartment

      Leave as is (the VCN’s compartment)

      Name

      A descriptive name for the CPE object

      IP Address

      Public IP address of Aviatrix Gateway

      Tags

      Optional

      cpe
  4. From the DRG, create an IPsec connection to the CPE object.

    1. Under Core Infrastructure, go to Networking and click Dynamic Routing Gateways.

    2. Click the DRG created earlier.

    3. Click Create IPsec Connection.

    4. Enter the following values and click Create IPsec Connection.

      Field Description

      Create in Compartment

      Leave as is (the VCN’s compartment)

      Name

      A descriptive name for the IPsec connection

      Customer-Premises Equipment Compartment

      Leave as is (the VCN’s compartment)

      Customer-Premises Equipment

      Select the CPE object created earlier

      Static Route CIDR

      Aviatrix GW’s VPC/VNet CIDR (172.19.0.0/16 in this example)

      Tags

      Optional

      ipsec-connection
    5. Once the IPsec connection enters the Available state, click the Action icon (three dots), and then click Tunnel Information. Please copy the IP Address of the VPN headend and the Shared Secret for configuring a Site2Cloud connection at the Aviatrix Controller.

      ipsec-info
  5. Log in to the Aviatrix Controller.

  6. Follow the steps in Site2Cloud Tutorial. Use this table for specific field values.

    Field Description

    VPC ID/VNet Name

    Select the Aviatrix Gateway’s VPC/VNet

    Connection Type

    Unmapped

    Connection Name

    A descriptive name for the Site2Cloud connection

    Remote Gateway Type

    Oracle

    Tunnel Type

    UDP

    Encryption over ExpressRoute/ Direct Connect

    Unchecked

    Enable HA

    Unchecked

    Primary Cloud Gateway

    Select the desired Aviatrix Gateway

    Remote Gateway IP Address

    Enter the IP Address copied from Oracle IPsec connection

    Pre-shared Key

    Enter the Shared Secret copied from Oracle IPsec connection

    Remote Subnet

    Enter Oracle VCN’s CIDR (10.1.1.0/24 in this example)

    Local Subnet

    Enter Aviatrix Gateway’s VPC/VNet CIDR (Or leave it blank)

    s2c-config

Test

Once complete, test the communication using the tunnel by sending traffic between instances in the Aviatrix Gateway’s VPC/VNet and Oracle VCN.

Log in to the Aviatrix Controller and go to the Site2Cloud page. Verify that the Site2Cloud connection created above is "Up" in Status.

s2c-status

Troubleshoot

Wait 2-3 minutes for the tunnel to come up. If it does not come up within that time, check the IP addresses to confirm they are accurate. Additional troubleshooting is available in the Diagnostics tab.

Appendix: Enable HA

You can enable HA for an Aviatrix Site2Cloud connection to Oracle DRG. Please add following extra steps to the configuration.

gw2drg-ha

Creating an Aviatrix HA Gateway

Before creating a Site2Cloud connection, follow https:/docs.aviatrix.com/Solutions/gateway_ha.html[this] guide’s Backup Gateway and Tunnel HA section to create Aviatrix HA gateway in the same VPC/VNet.

Creating a Second IPsec Connection Between the Same DRG and Aviatrix HA Gateway

From the Oracle Cloud console, create a second IPsec connection between the same DRG and Aviatrix HA Gateway.

  1. Create a new CPE at Oracle Cloud Console for the Aviatrix HA Gateway:

    Field Description

    Create in Compartment

    Leave as is (the VCN’s compartment)

    Name

    A descriptive name for the second CPE object

    IP Address

    Public IP address of Aviatrix HA Gateway

    Tags

    Optional

  2. Create a new IPsec connection at Oracle Cloud Console for the Aviatrix HA Gateway:

    Field Description

    Create in Compartment

    Leave as is (the VCN’s compartment)

    Name

    A descriptive name for the second IPsec connection

    Customer-Premises Equipment Compartment

    Leave as is (the VCN’s compartment)

    Customer-Premises Equipment

    Select the second CPE object created earlier

    Static Route CIDR

    Aviatrix GW’s VPC/VNet CIDR (172.19.0.0/16 in this example)

    Tags

    Optional

  3. Once the second IPsec connection enters the Available state, click the Action icon (three dots), and then click Tunnel Information. Please copy the IP Address of the VPN headend and the Shared Secret.

Create Aviatrix Site2Cloud Connection with HA

From the Aviatrix Controller > Site2Cloud page, click + Add New. Under Add a New Connection, make sure the Enable HA checkbox is marked.

Additional fields are displayed when checked. All other fields should have the same values as corresponding ones without HA.

Field Description

Backup Gateway

Select the Aviatrix HA Gateway just created

Remote Gateway IP Address(Backup)

Enter the IP Address copied from the second IPsec connection

Pre-shared Key(Backup)

Enter the Shared Secret copied from the second IPsec connection