If your CPE supports only policy-based tunnels, be aware of the following Route-Based or Policy-Based Site-to-Site VPN This is because Oracle uses asymmetric routing.įor specific Oracle routing recommendations about how to force symmetric routing, see Routing for Site-to-Site VPN. Otherwise, if you advertise the same route (for example, a default route) throughĪll tunnels, return traffic from your VCN to your on-premises network routes to any Less-specific routes (summary or default route) for the backup tunnel (BGP/static). If you want to use one IPSec tunnel as primary andĪnother as backup, configure more-specific routes for the primary tunnel (BGP) and Recommends that you configure your routing to deterministically route traffic ![]() When you use multiple tunnels to Oracle Cloud Infrastructure, Oracle Otherwise, ping tests orĪpplication traffic across the connection don’t work reliably. Oracle uses asymmetric routing across the multiple tunnels that make up the IPSecĬonnection. Routing to be symmetric, refer to Routing for Site-to-Site VPN. The appropriate configuration, contact your CPE vendor's support. To disable ICMP inspection, configure TCP state bypass. Handle traffic coming from your VCN on any of the tunnels. To allow for asymmetric routing, ensure that your CPE is configured to If you have multiple tunnels up simultaneously, you might experience asymmetric Necessary traffic from or to Oracle Cloud Infrastructure. Other Important CPE ConfigurationsĮnsure that access lists on your CPE are configured correctly to not block Selection algorithm, see Routing for Site-to-Site VPN. Including Oracle recommendations on how to manipulate the BGP best path These routes are not learned dynamically.įor more information about routing with Site-to-Site VPN, You also must configure your CPE device with static routes to the Specify the particular routes to your on-premises network that you want the VCN Policy-based routing: When you set up the IPSec connection to the DRG, you.These routes are not learned dynamically. You also must configure your CPE device with static routes to the VCN's subnets. Static routing: When you set up the IPSec connection to the DRG, you specify the particular routes to your on-premises network that you want the VCN to know about.Oracle side, the DRG advertises the VCN's subnets. The DRG dynamically learns the routes from your on-premises network. BGP dynamic routing: The available routes are learned dynamically throughīGP.Separately for each tunnel in the Site-to-Site VPN: The following three routing types are available, and you choose the routing type In the past, Oracle created IPSecĬonnections that had up to four IPSec tunnels. Oracle encourages you to configure your CPE to useīoth tunnels (if your CPE supports it). ![]() When you create a Site-to-Site VPN IPSec connection, it has Tunnels on geographically redundant IPSec headends. For each IPSec connection, Oracle provisions two Oracle Console and create a separate IPSecĬonnection between your dynamic routing gateway (also known as customer-premises equipment (CPE)). Have Redundant CPEs in Your On-Premises Network LocationsĮach of your sites that connects with IPSec to Oracle Cloud Infrastructure should have redundant edge devices Oracle recommendsĬonfiguring all available tunnels for maximum redundancy. Headends are on different routers for redundancy purposes. ![]() Oracle deploys two IPSec headends for each of your connections to provide highĪvailability for your mission-critical workloads. Configure All Tunnels for Every IPSec Connection
0 Comments
Leave a Reply. |