Oracle OCI Site-to-Site VPN to Meraki Switch - Part 2

We have started workshop in the previous blog "Oracle OCI Site-to-Site VPN to Meraki Switch - Part 2" where we covered the steps to create DRG, private subnet, and security list.
In this blog, we will complete the workshop by creating Site-to-Site VPN configuration then configuring Meraki Cisco switch.

Step #6: Create Site-to-Site VPN

We will use the wizard to setup Site-to-Site VPN. The wizard sets up a Site-to-Site VPN between your on-premises network and your Oracle VCN. That includes the IPSec encrypted tunnels and customer-premises equipment (CPE).

1. Open the navigation menu, click “Networking”, and then click “Site-to-Site VPN”.

2. Click “Start VPN wizard”.

3. In “Create Site-to-Site VPN” dialog window, in “Basic information” window select VCN’s compartment and VCN name, then click next. DRG and IGW will be automatically populated.

In “Subnets and security” window, select “Select existing security list” option, click “choose subnets” to select private subnet.

In “Choose subnets” dialog window, select private subnet, click “Choose subnets”.

Make sure to select the correct Security list created in step #4 from previous blog.

In “Site-to-Site VPN” window, enter and select below options then click “Next”.

• VPN Name
• Routing Type: Policy based routing.
• Routes to your on-premises network: In our example, 10.8.8.0/24

In "Tunnel 1 & 2 information" section select below options

• IKE Version: IKEv1
• On-premises network CIDR blocks: In our example, 10.8.8.0/24
• On-premises cloud CIDR blocks (this is on OCI): In our example, 172.40.40.0/24

In “CPE” window, enter and select below information, click “Next”.

• CPE name
• IP Address: The public IP address of your CPE device. In this example, 142.35.140.32
• Vendor: Other

In “Review and create” window, click “Create VPN solution” at the bottom. Once provisioning completes VPN state will be available.

4. Click VPN name to collect tunnels information. Below information are required to configure on-premises Meraki switch.

Note: You will notice that there are two IPSec Tunnels from Oracle’s side. Meraki only supports connecting to one at a time.

- Tunnel 1 public IP address – Oracle VPN IP address

- Tunnel 1 shared secret

- Phase details: click on Tunnel 1 name then navigate to “Phase details” tab. Required information.

• lifetime in seconds
• Diffie-Hellman group
• Diffie-Hellman group

Step #7: Configure Cisco Meraki Switch

Note: You will notice that there are two IPSec Tunnels from Oracle’s side. Meraki only supports connecting to one at a time.

1. Open the Meraki Dashboard.
2. Navigate to the Site-to-Site VPN settings page (Security & SD-WAN, Site-to-site VPN.
3. Select Hub (Mesh) as the type.
4. Enable the VPN “only for subnets listed in your IPSec connection” — having one too few or one too many will cause the entire connection to fail.
5. Add a Non-Meraki VPN Peer

• Give it a name.
• Set the Public IP to the Public IP of Oracle VPN tunnel 1.
• Leave Remote ID blank.
• Set Private subnets to the Oracle VCN’s private subnet CIDR Block. In our example, 172.40.40.0/24.
• Set IPSec policies to custom and follow the configuration below. Use OCI tunnel’s phases information collected in step #6.
• Fill in your OCI Tunnel “shared secret” collected in step #6.
• Set Availability to all networks.

Step #8: Test connection

Once Meraki switch configuration completes Oracle tunnel status will be up.

We’re all done provisioning, and you should now be able to ping and ssh from on-premises to Oracle compute instance located in private subnet.

You can access VPN logs as shown below.

Workshop is completed. IPSec VPN connection between your on-premises and Oracle VCN private subnet is ready now!. 

Oracle OCI Site-to-Site VPN to Meraki Switch - Part 1

Site-to-Site VPN offers a simple and secure way to connect your on-premises network to Oracle Cloud Infrastructure over your existing internet connection. The data is encrypted using industry-standard encryption algorithms called IPSec and is then tunneled through the public internet for enhanced security and privacy.
In this workshop, we will see the steps to setup Site-to-Site VPN to Meraki Cisco switch with a simple layout that you might use for a proof of concept (PoC). The workshop will be covered over two blog posts. 

-         Prerequisites:

• An Oracle cloud free trial or paid account.
• OCI VCN with a private subnet and a route table.
• OCI Linux compute instance located in a VCN’s private subnet.

 

-        Assumptions:

• OCI VCN’s CIDR: 172.40.0.0/16
• OCI private subnet CIDR: 172.40.40.0/24
• OCI VM private IP: 172.40.40.60
• The public IP address of your CPE device: 142.35.140.32
• On-premises private subnet CIDR: 10.8.8.0/24
• Routing Type: Policy-based
• Cisco Device: Meraki 

Step #1: Create Dynamic Routing Gateway (DRG)

1. Open the navigation menu and click “Networking”. Under “Customer connectivity”, click “Dynamic routing gateway”.

2. In Dynamic routing gateway screen, click “Create Dynamic Routing Gateways”.

3. In “Create Dynamic Routing Gateways” dialog window, enter DRG name and select the compartment where you want to put your DRG, then click “Create Dynamic Routing Gateways”.

Step #2: Attach the DRG to the VCN

1. Click the name of the DRG you created.
2. Under “Resources” section, click “Virtual Cloud Networks Attachment”.
3. Click “Create Virtual Cloud Network Attachment”.

4. In “Create Virtual Cloud Network Attachment” dialog window, enter “attachment name” and select the VCN. Ignore the section for advanced options, which is only for an advanced routing scenario called transit routing, which is not relevant here. Click “Create Virtual Cloud Network Attachment”.

Step #3: Update Existing Private Subnet’s Route Table

If you already have an existing VCN with a subnet, you don't need to create a route table or subnet. Instead, you can update the existing subnet's route table to include the route rule for the DRG. 
We need to add a below route rule.

Destination CIDR	Target Type	Target	Route Type
On-premises private subnet CIDR: 10.8.8.0/24	Dynamic Routing Gateways	DRG Name	Static

1. Open the navigation menu, click “Networking”, and then click “Virtual cloud networks”.
2. Click your VCN.
3. Under “Resources” section, click “Route Tables”. Click private subnet’s route table name.

4. In Route Table screen, click “Add Route Rules”.

5. In “Add Route Rules” dialog window, enter below information then click “Add Route Rules”.

- Target Type: Dynamic Routing Gateway
- Destination Type: CIDR Block

- Destination CIDR Block: On-premises private subnet CIDR. In our example, 10.8.8.0/24

Step #4: Create a Security List

By default, incoming traffic to the instances in your VCN is set to DENY on all ports and all protocols. In this task, you set up two ingress rules and one egress rule to allow basic required network traffic.

We need to add below Ingress and Egress rules.

Ingress/Egress	CIDR	Protocol: Port
Ingress	On-premises private subnet CIDR: 10.8.8.0/24	All: All
Egress	On-premises private subnet CIDR: 10.8.8.0/24	All: All

1. Open the navigation menu, click “Networking”, and then click “Virtual cloud networks”.
2. Click your VCN.
3. Under “Resources” section, click “Security Lists”. Click “Create Security List”.
4. In “Create Security List” dialog window, enter security list name, select the same compartment as VCN, enter Ingress & Egress rules listed in above table. Click “Create Security List”.

Step 5: Add Security List to Existing Private Subnet

1. Open the navigation menu, click “Networking”, and then click “Virtual cloud networks”.
2. Click your VCN.
3. Under “Resources” section, click “Subnets”. Click private subnet name.

4. In private subnet scree, click “Add Security List”.

5. In “Add Security List” dialog window, select security list’s compartment and select security list created in step #4. Click “Add Security List”.

Next blog, we will cover the steps to create Site-to-Site VPN and configure Meraki Cisco switch.
Next blog => Oracle OCI Site-to-Site VPN to Meraki Switch - Part 2