Oracle Network Cloud Service VPN Corente Shared Network

Oracle® Cloud
Setting Up VPN from Corente Services Gateway On-Premises to

the Shared Network
E72381-10
February 2017
Documentation for setting up VPN access for Oracle Compute
Cloud Service, Oracle Java Cloud Service, and Oracle Database
Cloud Service instances.
Oracle Cloud Setting Up VPN from Corente Services Gateway On-Premises to the Shared Network,
E72381-10
Copyright © 2016, 2017, Oracle and/or its affiliates. All rights reserved.
Primary Author: Sylaja Kannan
Contributors: Anirban Ghosh, Kumar Dhanagopal, Kunal Rupani, Neeraj Sharma
This software and related documentation are provided under a license agreement containing restrictions on
use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your
license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,
transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse
engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is
prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If
you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on
behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,
any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are
"commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-
specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the
programs, including any operating system, integrated software, any programs installed on the hardware,
and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.
No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications.
It is not developed or intended for use in any inherently dangerous applications, including applications that
may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you
shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its
safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this
software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of
their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are
used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron,
the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro
Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products,
and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly
disclaim all warranties of any kind with respect to third-party content, products, and services unless
otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates
will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party
content, products, or services, except as set forth in an applicable agreement between you and Oracle.
Contents
Preface ................................................................................................................................................................. v
Audience ........................................................................................................................................................ v
Conventions................................................................................................................................................... v
1 About Setting Up VPN Using Corente Services Gateway .................................. 1-1
2 Setting Up Corente Services Gateway in Your Data Center

Preparing Your Environment ................................................................................................................. 2-1
Preparing Your Host ................................................................................................................................ 2-1
Setting Up Virtualization......................................................................................................................... 2-2
Setting Up Networking............................................................................................................................ 2-4
Downloading and Installing the Corente Services Gateway.............................................................. 2-7
3 Setting Up Corente Services Gateway on Oracle Cloud

Defining a Location Configuration for the Cloud Gateway............................................................... 3-1
Creating an Orchestration for the Boot Volume .................................................................................. 3-3
Creating an Orchestration for the Networking Objects ...................................................................... 3-3
Creating an Orchestration for the GRE-Enabled Compute Service Instance................................... 3-4
Starting the Orchestrations...................................................................................................................... 3-5
4 Establishing Partnership Between Your On-Premises Gateway and Cloud Gateway

............................................................................................................................. 4-1
5 Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud

Creating a New Linux Instance and Configuring a GRE Tunnel ...................................................... 5-1
Configuring a GRE Tunnel on Running Linux Instances ................................................................... 5-5
Configuring a GRE Tunnel on a Windows Instance ........................................................................... 5-6
Creating a Windows Server 2012 R2 Client Instance .................................................................. 5-6
Creating a GRE Tunnel on a Windows Guest Instance .............................................................. 5-7
iii
iv
Preface
Setting Up VPN Using a Third-Party VPN Device describes how to set up Corente
Services Gateway for secure access to your Oracle Compute Cloud Service, Oracle Java
Cloud Service, and Oracle Database Cloud Service instances.
Topics
• Audience
• Conventions
Audience
This document is intended for administrators of Oracle Compute Cloud Service,
Oracle Java Cloud Service, and Oracle Database Cloud Service.
Conventions
This table describes the text conventions used in this document.
Convention Meaning
boldface Boldface type indicates graphical user interface elements associated with an
action, or terms defined in text or the glossary.
italic Italic type indicates book titles, emphasis, or placeholder variables for
which you supply particular values.
monospace Monospace type indicates commands within a paragraph, URLs, code in

examples, text that appears on the screen, or text that you enter.
v
1
About Setting Up VPN Using Corente
Services Gateway
You can set up VPN access to Oracle Cloud Service instances by installing Corente
Service Gateway, which is an Oracle-provided IPsec solution, in both your data center
as well as in Oracle Cloud.
Topics
• Understanding the Architecture and Key Components of the Solution
• Workflow for Setting Up VPN Using Corente Services Gateway
Note: The following other VPN solutions are available for instances in
multitenant sites:
VPN access through a third-party gateway or Corente Services Gateway in
your data center to instances attached to the Oracle-provided shared network.
See the following documentation:
• VPN access through a third-party gateway in your data center to

instances attached to the Oracle-provided shared network. See Setting Up
VPN from a Third-Party Gateway On-Premises to the Shared Network.
• VPN access through a third-party gateway or Corente Services Gateway

in your data center to instances attached to an IP network defined by you
in the cloud. See the following documentation:
– Setting Up VPN From a Corente Services Gateway to an IP Network in

Oracle Cloud
– Setting Up VPN From a Third-Party Gateway to an IP Network in Oracle

Cloud
Understanding the Architecture and Key Components of the Solution
About Setting Up VPN Using Corente Services Gateway 1-1

• App Net Manager Service Portal: App Net Manager is a secure web portal that
you use to create, configure, modify, delete, and monitor the components of your
Corente-powered network.
• Corente Services Gateway: Corente Services Gateway acts as a proxy that

facilitates secure access and data transfer in the VPN solution.
The solution consists of two separate installations of Corente Services Gateway:
– The first gateway (referred to as on-premises gateway) is installed on a host in

your on-premises data center. The gateway may be run as a guest VM on
your physical host.
Note that you should set up the on-premises gateway manually on a host
with Internet access in your data center. One edge of this on-premises
gateway connects to the Internet to establish connectivity with the Corente
Services Gateway (the first one) installed in Oracle Cloud and the other edge
of the on-premises gateway communicates with hosts or virtual machines of
your users and administrators in your private network.
You should manually set routes in your on-premises environment to direct
packets with Oracle Cloud GRE tunnel subnets (for example, 172.16.1.0/25
1-2 Setting Up VPN from Corente Services Gateway On-Premises to the Shared Network
specified in Creating a New Linux Instance and Configuring a GRE Tunnel)
to the Corente Services Gateway installed in your data center.
Your administration can access the App Net Manager service portal only via a
computer connected to the Corente Services Gateway installed in your data
center. Direct access to App Net Manager — without the Corente Services
Gateway in your data center — is not permitted.
– The second gateway (referred to as cloud gateway) is installed on an Oracle

Compute Cloud Service instance running on Oracle Cloud.
Your Oracle Compute Cloud Service account can contain multiple sites. You
must set up the cloud gateway on each site.
After setting up the cloud gateway, manually set up and configure a Generic
Routing Encapsulation (GRE) tunnel from your Oracle Compute Cloud
Service instances (virtual machines) to the Corente Services Gateway running
on another Oracle Compute Cloud Service instance.
On each site, create a GRE tunnel between Oracle Compute Cloud Service
instances and the cloud gateway on the same site.
Workflow for Setting Up VPN Using Corente Services Gateway
Task Component in the For more Information

Architectural Diagram
Create and configure your It’s a prerequisite. See Getting an Oracle.com

account on Oracle Cloud Account in Getting Started
with Oracle Cloud.
Obtain a trial or paid It’s a prerequisite. See How to Begin with

subscription to Oracle Oracle Compute Cloud
Compute Cloud Service Service Subscriptions in
After you subscribe to Oracle Using Oracle Compute Cloud
Compute Cloud Service, you Service (IaaS).
will get your Corente
credentials through email
after you receive the Oracle
Compute Cloud Service
welcome email.
Note down the Corente
account credentials that you
received by email.
Set up a Corente Services Corente Services Gateway See Setting Up Corente

Gateway (on-premises running in your data center, Services Gateway in Your
gateway) in your data center as shown in the architecture Data Center.
diagram.
Set up Corente Services Corente Services Gateway See Setting Up Corente

Gateway (cloud gateway) on running on an Oracle Services Gateway on Oracle
Oracle Cloud Compute Cloud Service Cloud.
instance, as shown in the
architecture diagram.
About Setting Up VPN Using Corente Services Gateway 1-3

Task Component in the For more Information
Architectural Diagram
Establish partnership This is the dashed line See Establishing Partnership

between your on-premises between the two gateways, Between Your On-Premises
gateway and cloud gateway as shown in the architecture Gateway and Cloud
diagram. Gateway.
Configure a GRE tunnel on GRE tunnel from Oracle See:

your Oracle Compute, Compute Cloud Service • Creating a New Linux
Database, and Java Cloud instances 1, 2, and 3 as Instance and
Service instances shown in the architecture Configuring a GRE
diagram. Tunnel
• Configuring a GRE
Tunnel on Running
Linux Instances
• Configuring a GRE
Tunnel on a Windows
Instance
2
Setting Up Corente Services Gateway in
Your Data Center
You must set up Corente Services Gateway in your data center. This section provides
steps to install Corente Services Gateway on a virtual machine in your data center. In
this procedure, you’re installing Corente Services Gateway to run as a guest VM on
your host.
Topics
• Preparing Your Environment
• Preparing Your Host
• Setting Up Virtualization
• Setting Up Networking
• Downloading and Installing the Corente Services Gateway
Preparing Your Environment

Prepare your on-premises environment as follows:
1. Ensure that you have sudo privilege on the host where the gateway will be
installed.
2. Run the following commands:
a. set path: PATH=$PATH:/usr/sbin:/sbin
b. If you’re using a proxy, set the HTTP proxy and the HTTPS proxy, as in the
following example:
export http_proxy=your_http_proxy_server:port
export https_proxy=your_https_proxy_server:port
Note:
Instructions are provided in this section are specific to Oracle Linux 6. For
other versions of Linux, instructions may vary. For more information, see your
operating system documentation.
Preparing Your Host

Prepare your host as follows:
Setting Up Corente Services Gateway in Your Data Center 2-1

Setting Up Virtualization
• Verify that you have at least 40 GB of free disk space on the host where the on-
premises gateway will be installed. If the partition used by /var/lib/libvert/
images/ is small, mount the directory to a large disk.
• If you’re using a physical node/box, make sure that virtualization is enabled

from BIOS. You can usually find this option under Security in BIOS.
• If you’re using a virtual machine, verify support for virtualization as follows:
1. Log in as a root user.
2. Run the following command:
modprobe -v kvm-intel
If this command fails with fatal errors, it indicates some problem.
egrep '^flags.*(vmx|svm)' /proc/cpuinfo
If this command produces no output, it indicates some problem.
4. Use the following command to see whether /var/log/messages contain

messages such as “KVM not supported by hardware/BIOS”:
# cat /var/log/messages | grep -i kvm
5. If your hardware/BIOS does not support KVM, contact your IT administrator to

enable nested virtualization on your VM.
After preparing the host for the installation, you need to set up virtualization.
Note:
If you encounter fatal errors while preparing your host for the installation,
contact your IT administrator to fix the errors before proceeding with
virtualization.
1. If the /etc/avahi/avahi-daemon.conf file exists on your host, modify the file

as follows:
Change #disallow-other-stacks=no to #disallow-other-stacks=yes.
Note: If the /etc/avahi/avahi-daemon.conf file is not present, you can

do this step later during yum installation.
2. Check /etc/login.defs, and add the following lines if they are absent:
SYS_GID_MIN 2000
SYS_GID_MAX 9000
3. Verify the existence of group and user qemu with ID 107 by running the following
commands:
grep qemu /etc/group
grep qemu /etc/passwd
If the group and user are not found, create them:
a. Add a group qemu if there isn’t one:
# groupadd qemu
b. Check /etc/group, and change the group ID of qemu to 107.
# groupmod -g 107 qemu
Note:
If group ID 107 is taken, then assign a new ID to the application using it, and
use group ID 107 for qemu.
c. Add user qemu to group qemu if there isn’t one:
# useradd qemu -g qemu
d. Check /etc/passwd, and change the user ID of qemu to 107.
# usermod -u 107 qemu
e. Verify using the ID qemu that the user qemu has 107 as both user ID and group
ID, as in the following:
-bash-4.1$ grep qemu /etc/group

qemu:x:107:
-bash-4.1$ grep qemu /etc/passwd
qemu:x:107:107::/:/sbin/nologin
4. Run yum update to get the latest versions of all packages.
5. Install KVM, libvirt, qemu and other packages required for the setup:
# yum install kvm qemu-kvm python-virtinst libvirt libvirt-python virt-manager

libguestfs-tools tunctl -y
If the installation of the packages fails with an error “invalid GPG key”, then do
the following to import the GPG key and try to run yum install one more time:
-bash-4.1$ locate GPG
/etc/pki/rpm-gpg/RPM-GPG-KEY
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-test
/etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
/usr/share/rhn/RPM-GPG-KEY
-bash-4.1$ rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-oracle
6. Run the following command to check the status of messagebus:
# service messagebus status
If the status is stopped, start messagebus by running the following command:

# service messagebus start

Setting Up Networking
7. If the avahi-daemon service is installed, verify its status by running the following
command:
# service avahi-daemon status
If the status is stopped, start avahi-daemon:

# service avahi-daemon start
8. Check the status of the libvirtd service:
# service libvirtd status
If the status is stopped, start the libvirtd service:

# service libvirtd start
If the status is dead with subsys lock, try to stop the service and restart:
# service libvirtd stop
# service libvirtd start
9. Add /sbin/service avahi-daemon start and /sbin/service libvirtd

start to the /etc/rc.d/rc.local file, so these services will be started
automatically whenever the host is rebooted.
# modprobe -v kvm
# modprobe -v kvm-intel
Topics
• Setting Up Virtual Bridge for NAT (virbr0)
• Configuring Bridge Interfaces
Setting Up Virtual Bridge for NAT (virbr0)

In this procedure, you’re setting up a virtual bridge for NAT (virbr0).
1. Every standard libvirt installation provides out-of-the-box NAT-based

connectivity to virtual machines. This network is referred to as the default virtual
network. Verify this default network by running the following command:
# virsh net-list –all
If the default virtual network is present, you should see virbr0 in the command
output, as in the following example:
# brctl show
bridge name bridge id STP enabled interfaces
virbr0 8000.000000000000 yes
2. (Optional): If you don’t see the default virtual network (virbr0), run the
following commands:
# virsh net-define /usr/share/libvirt/networks/default.xml

# virsh net-autostart default
# virsh net-start default
Note: If you see the error “dnsmasq: failed to set SO_REUSE{ADDR|

PORT} on DHCP socket: Protocol not available”, then run the
following commands to install a new version of dnsmasq:
# wget http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.73.tar.gz
# tar xvzf dnsmasq-2.73.tar.gz
# cd dnsmasq-2.73
# make install
# cp /usr/local/sbin/dnsmasq /usr/sbin
Now run steps 1 and 2 again.
Configuring Bridge Interfaces

The following diagram illustrates the configuration of bridge interfaces:
Note: The names of network interfaces in the diagram are examples only.
Bridge interfaces are created in the host operating system to accommodate networking
requirements of guest VMs.

Interface Description
br0 Bridge for the Internet. The host's PHY

interface for the Oracle Cloud Network
connects to this bridge.
br1 Bridge for private networking between your

on-premises Corente Services Gateway and
your on-premises hosts.
virbr0 Backup bridge for NAT, and this may not be

used.
You must create two bridges on the host and two virtual interfaces on your on-
premises gateway and connect them, as illustrated in the diagram. The WAN interface
connects to the Internet, and the LAN interface is for your internal network.
Complete the following steps:
1. If NetworkManager is present in chkconfig, disable NetworkManager, so that

bridging can be supported using the classical framework:
# chkconfig NetworkManager off
# chkconfig network on
# service NetworkManager stop
# service network start
2. Create bridges and modify physical interfaces in the /etc/sysconfig/

network-scripts directory as follows:
Bridge How to Modify
ifcfg-br0 DEVICE=br0
TYPE=Bridge
BOOTPROTO=static
IPADDR=
NETMASK=
> DELAY=0
NM_CONTROLLED=no
Note: Enter the IP address and the subnet

mask of your host’s Internet physical
interface (eth0, in this example).
Downloading and Installing the Corente Services Gateway
Bridge How to Modify
ifcfg-eth0 DEVICE=eth0
HWADDR=90:E2:BA:80:40:34
> TYPE=Ethernet
BRIDGE=br0
NM_CONTROLLED=no
In addition, remove the following lines:
IPADDR
NETMASK
BOOTPROTO
ifcfg-br1 DEVICE=br1
TYPE=Bridge
IPADDR=192.168.37.10
NETMASK=255.255.255.0
BOOTPROTO=static
> DELAY=0
NM_CONTROLLED=no
ifcfg-eth1 DEVICE=eth1
HWADDR=00:10:E0:5F:9A:B3
TYPE=Ethernet
UUID=521fffed-8905-465a-a0ec-
ea4739c62871
> NM_CONTROLLED=no
BRIDGE=br1
Connection eth1 to br1 is optional.
3. Verify the bridge interfaces by running the following command:

# brctl show
You should see output, as in the following example:

Download the Corente Gateway Image and use this image file to create a new virtual
machine for your Corente Services Gateway (referred to as on-premises gateway).

Before you begin installing Corente Services Gateway, create a location-specific

configuration file for your on-premises gateway. You’ll use App Net Manager to
perform the configuration of your maiden on-premises gateway (the first one in your
data center domain). Log in to App Net Manager using the Corente credentials that
you received in an email when you subscribed to Oracle Compute Cloud Service. For
more information about creating the location configuration file for your gateway, see
Configuring the Corente Services Gateway in Corente Services Gateway Deployment
Guide. The configuration file that you create is downloaded onto the on-premises
gateway as part of the installation process.
Download and install Corente Services Gateway in your data center as follows:
1. In your data center, identify the host you had prepared in the previous section.
2. Download the Corente Services Gateway software (Corente Gateway Image) from
the following URL:
http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-
service-2952583.html
3. Ensure that you have root access to the host where you want to install the on-
premises Corente Services Gateway (referred to as on-premises gateway).
4. Create a new virtual machine for the on-premises gateway. Take care of the
following points while creating the virtual machine:
• Use the ISO image file of the Corente Gateway Image that you have
downloaded to create the virtual machine.
• Configure memory and CPU for the virtual machine being created.
• Ensure that the size of the hard disk is more than 40 GB.
• Configure two NICs for the on-premises gateway: one for br0 and another for
br1. The virtual machine should have two network adapters or interfaces, one
for WAN and another for LAN. One network interface or adapter is used for
Internet connection and another one for internal communication with the
Corente guest virtual machines.
5. When you create the virtual machine, the following virtual machine terminal
screen is displayed:
Enter yes, and then press Enter to proceed with the installation. The installation
continues. Reboot the virtual machine, when prompted.
When the on-premises gateway virtual machine starts up, you’ll see the following
screen:
6. Select Download Config and press Enter. The network configuration screen is
displayed, as in the following:

7. In this screen, enter information about your network interface facing Oracle Cloud
(Internet). Move to Advanced to configure proxy.
Select Continue.
8. Enter HTTP proxy information, as in the following:
9. In the next screen, enter www.corente.com as the Download site, and then select
Next.
10. In the next screen, enter the username and password to log into the App Net
Manager and the name of the gateway that you have created using App Net
Manager as part of the prerequisite tasks. The location configuration file that you
have created in App Net Manager is downloaded onto your on-premises gateway.

After the download is complete, your on-premises gateway reboots. When the
gateway comes back up, you can’t log into it due to security reasons. Your network
administrator should use App Net Manager to start managing your on-premises
gateway.
3
Setting Up Corente Services Gateway on
Oracle Cloud
You must set up Corente Services Gateway on an Oracle Compute Cloud Service
instance.
This is the Oracle Cloud gateway that communicates with the on-premises gateway.
Note:
Do not follow the instructions in this section if you want to create the Corente
Services Gateway using the Oracle Compute Cloud Service user interface.
Before you begin
1. Go to the Oracle Compute Cloud Service Console. Sign in as a user with the
Compute_Operations role.
2. Reserve a public NAT IP address to be used by the new Corente Services Gateway
(cloud gateway). See Reserving a Public IP Address in Using Oracle Compute Cloud
Service (IaaS).
Following is the workflow to set up an Corente Services Gateway on an Oracle
Compute Cloud Service instance using App Net Manager and orchestrations:
1. Defining a Location Configuration for the Cloud Gateway
2. Creating an Orchestration for the Boot Volume
3. Creating an Orchestration for the Networking Objects
4. Creating an Orchestration for the GRE-Enabled Compute Service Instance
5. Starting the Orchestrations
Defining a Location Configuration for the Cloud Gateway

Before you install Corente Services Gateway on Oracle Cloud, you must define a
location configuration for the cloud gateway.
1. Download the App Net Manager from http://www.oracle.com/technetwork/

server-storage/corente/downloads/index.html.
2. Log in using your Corente credentials.
3. From the Domains panel on the left, select Locations, and then click New.
Complete all the fields in the Identity and Location panel, select the Enable Zero
Setting Up Corente Services Gateway on Oracle Cloud 3-1

Defining a Location Configuration for the Cloud Gateway
Touch Configuration option, and enter your own unique identifier in the Unique
Identifier field in the Zero Touch Configuration panel.
Important:
Note the value that you enter in the Unique Identifier field. You’ll need to
specify the same value in the uid attribute while creating the orchestration for
the cloud gateway instance.
4. Go to the Network tab.
5. Click Add at the bottom of the Network Interfaces pane. In the dialog box that
appears, select WAN/LAN Interface in the Peer Configuration pane, and then
click OK.
6. In the WAN/LAN Interface screen, select DHCP in the Addressing pane to

automatically assign an IP address, subnet mask, and gateway address to this
location gateway.
7. Select Get DNS Dynamically in the DNS pane.
8. Select Use GRE Tunnels in the GRE Tunnels pane to specify the configuration
preference for the location gateway. 172.16.254.1 appears in GRE Tunnel IP
field.
9. Ensure that the Internet Access via Proxy Server option is not selected, and then
click OK.
10. Go to the User Groups tab. Highlight Default User Group and then click Edit at
the bottom of the screen. The Edit User Group screen appears.
11. In the Edit User Group screen, click Add button at the bottom of the User Group
Subnets/Address Ranges panel. The Add Address Range screen appears.
12. In the Add Address Range screen, select Include Subnet. Enter the network range
and the subnet mask for the GRE tunnel space for your VPN environment in the
cloud.
The following are some basic rules for this address space:
• The range cannot overlap with any addresses in use in your environment. For
now, do not use any address in the 10.0.0.0/8 range.
• The range must be large enough to accommodate all instances that will be
behind the Corente VPN appliance, plus two for the GRE tunnel.
13. Set Outbound NAT to Permitted, and then click OK at the bottom of the screen.
14. Click OK in the Edit User Group screen, and then click OK at the bottom of the
Add Location screen. You will return to the main App Net Manager screen, and
the Save button at the top of the screen will be active. Note that the red square
with yellow center to the upper left of the location icon; it indicates that there are
unsaved changes.
15. Click Save at the top of the App New Manager screen. A Save All Changes pop-
screen is displayed. Click Start at the bottom of this screen to save the
configuration.
Creating an Orchestration for the Boot Volume
16. When the save operation is complete, click Finished at the bottom of the screen.
Creating an Orchestration for the Boot Volume

A sample orchestration, storage_vol1.json, to create a bootable storage volume
for the Corente Services Gateway instance is included in the
greconf_orchsamples.zip file at the following location:
Download the sample orchestration and edit the following attributes:
Attribute Details
name The name attribute should be specified in the following format:

/Compute-yourIdentityDomainName/yourUserName/volumeName
imagelist Go to the Oracle Compute Cloud Service Console, note the Compute
image that you want to use for the storage volume, replace the image
name in the sample orchestration with /oracle/public/
vpnServiceGateway_corente_9.4.1062.
name in the The name attribute should be specified in the following format:
objects array /Compute-yourIdentityDomainName/yourUserName/volumeName
Important:
You must create a new boot storage volume when you create a new gateway
instance. Don’t use an existing boot storage volume that has been used by
another gateway instance even if the gateway instance is shut down.
Creating an Orchestration for the Networking Objects

Create an orchestration for the networking objects such as security rules and security
applications.
A sample orchestration, secrule.json, to create the networking objects for the

Corente Services Gateway (Cloud) is included in the greconf_orchsamples.zip
file at the following location:
Download the sample orchestration and edit or add the following attributes:
Attribute Details
Identity domain Replace all instances of myidentitydomain with Compute-

name yourIdentityDomainName.
User name Replace all instances of the John.doe@oracle.com with

yourUserName.

Creating an Orchestration for the GRE-Enabled Compute Service Instance
Creating an Orchestration for the GRE-Enabled Compute Service Instance

Create an orchestration for the instance with HA using the boot volume.
Important: Ensure that your Corente Services Gateway (cloud gateway)

instance is created using a boot volume. See Creating an Orchestration for the
Boot Volume. Without a boot volume, if the gateway restarts for some reason
after initialization, your administrator must regenerate the gateway
configuration in App Net Manager as follows:
1. Log in to App Net Manager.
2. Select your existing Corente Services Gateway cloud instance, right-click

and select Regenerate.
If the instance is created with an orchestration that has ha_policy of active, then
the instance will be restarted with the same filesystem and the configuration will be
preserved when the instance crashes or fails.
Note: For more information on creating orchestrations, see Creating Instances

Using Orchestrations in Using Oracle Compute Cloud Service (IaaS).
A sample orchestration, csglaunchplan.json, to create the Corente Services

Gateway (Cloud) is included in the greconf_orchsamples.zip file at the
following location:
Download the sample orchestration and edit the following attributes:
Parameter Description
ha_policy Ensure this parameter is set to active.
nat The value for this parameter must be the same as the IP reservation
created earlier.
seclists The value for this parameter must be the same as the seclists defined
earlier.
shape Specify the shape, according to desired performance.
uid Make a note of the value of the uid so that you can use it in the App Net
Manager user interface later.
The uid field value must match the unique identifier used when
configuring your Corente Services Gateway, and each Corente Services
Gateway must have its own unique identifier.
volume The value for this parameter must be the boot volume you had created
earlier.
Starting the Orchestrations
Zero Touch Configuration for Corente Services Gateway on the Cloud

The Corente Services Gateway on Oracle Cloud installed using an Oracle-provided
image supports the configuration of UID through user attributes parameters.
The syntax is as follows:
"attributes": {
"userdata": {
"csg": {
uid: "uniqueIdentifier"
}
}
}

After creating the orchestrations, you should also validate your JSON file. You can do
this by using a third-party tool, such as JSONLint, or any other validation tool of your
choice. If your JSON format isn’t valid, then an error message is displayed when you
upload the orchestration.
Note:
Oracle doesn’t support or endorse any third-party JSON-validation tool.
1. Upload all the orchestrations to Oracle Compute Cloud Service. The upload order
doesn’t matter.
• Boot volume orchestration
• Networking objects orchestration
• GRE-enabled Compute service instance orchestration

See Uploading an Orchestration in Using Oracle Compute Cloud Service (IaaS).
2. Start the orchestrations in the following order:
Important: The order of these steps is critical. Don’t start the orchestrations
in any order other than as described here.
a. Start the orchestrations for the boot volume and the networking objects. See
Starting an Orchestration in Using Oracle Compute Cloud Service (IaaS).
b. Wait for the boot volume and networking orchestrations to be in the ready
state.
c. Verify that a location configuration has been defined for the cloud gateway
instance in App Net Manager. See Defining a Location Configuration for the
Cloud Gateway.

Important:
Do not start the GRE-enabled Compute service instance orchestration file until
you have created the Corente gateway, and inserted its unique ID in the
gateway configuration with App Net Manager utility. Wait until you see the
download icon in App Net Manager before starting the JSON orchestration.
d. After the boot volume and networking orchestrations are in the ready state,
start the instance orchestration.
e. Wait for the instance orchestration to be in the ready state.
f. After the instance orchestration is in the ready state, start the route
orchestration.
3. Start the orchestration for the boot volume and the network objects.
4. After the boot volume orchestration is started and in ready state, you must start the
instance orchestration. See Starting an Orchestration in Using Oracle Compute Cloud
Service (IaaS).
4
Establishing Partnership Between Your On-
Premises Gateway and Cloud Gateway
After verifying that your on-premises gateway and cloud gateway are running, you
must add partnership between the two gateways.
Do the following:
1. Log in to App Net Manager.
2. In App Net Manager, in the Domains pane, click Locations to expand and show all
of your gateways.
3. Select your Corente Services Gateway cloud instance and click to expand.
4. Click the Partner option under your Corente Services Gateway cloud instance in
App Net Manager.
5. Click New at the top of the App Net Manager screen.
6. Select Intranet in the Connection to Partner panel, and then select your corporate
gateway in the drop-down (right side of your selection).
7. Click Add at the bottom of the Tubes pane at the bottom of the Add Partner screen.
8. In the Local Side of Tube pane in the Add Tube screen, select Default User Group
in the User Group selector.
9. In the Remote Side of Tube pane in the Add Tube screen, select Default User
Group in the User Group selector.
10. Leave all other settings at the defaults.
11. Click OK in the Add Tube screen.
12. Click OK in the Add Partner screen.
13. Select your corporate Corente Services Gateway in the Locations in the Domains
pane of App Net Manager.
14. Select Partners under your corporate Corente Services Gateway.
15. Click New at the top of the App Net Manager screen.
16. Select Intranet in the Connection to Partner panel, and then select your cloud
gateway in the drop-down next to your selection.
17. Click Add at the bottom of the Tubes pane at the bottom of the Add Partner screen
Establishing Partnership Between Your On-Premises Gateway and Cloud Gateway 4-1
18. In the Local Side of Tube pane in the Add Tube screen, select Default User Group
in the User Group selector.
19. In the Remote Side of Tube pane in the Add Tube screen, select Default User
Group in the User Group selector.
20. Leave all other settings at the defaults.
21. Click OK in the Add Tube screen.
22. Click OK in the Add Partner screen.
23. Click Save at the top of the App Net Manager screen.
24. Click Start in the Save screen.
25. Click Finished in the Save screen.
You should now see a connection line appear between the gateways in App Net
Manager. You’ll see a yellow line first. The line turns green as the tunnel becomes
active.
5
Configuring a GRE Tunnel on a Guest
Instance in Oracle Cloud
To complete the VPN setup, configure a GRE tunnel between your guest instances in
Oracle Cloud and your Corente Services Gateway instance in Oracle Cloud.
Topics
• Creating a New Linux Instance and Configuring a GRE Tunnel
• Configuring a GRE Tunnel on Running Linux Instances
• Configuring a GRE Tunnel on a Windows Instance
Oracle Cloud services certified to use Corente-based VPN solutions

You can configure a GRE tunnel only on instances of the following Oracle Cloud
services:
• Oracle Compute Cloud Service
• Oracle Database Cloud Service
• Oracle Java Cloud Service
Creating a New Linux Instance and Configuring a GRE Tunnel

You must configure a Generic Routing Encapsulation (GRE) tunnel on your Oracle
Compute Cloud Service instances to complete the VPN setup.
Follow the instructions provided in this section to create a guest instance using the
provided corente-guest-launchplan.json template and configure a GRE
tunnel on the newly created guest instance. To set up a GRE tunnel on running
instances, see Configuring a GRE Tunnel on Running Linux Instances.
Create a Linux Client Compute Cloud Service Instance

Create your guest instance using the sample orchestration, corente-guest-
launchplan.json.
1. Create a bootable storage volume. Use an image that is Oracle Linux 6.6 or later
versions as only these versions support GRE tunneling. See Creating a Bootable
Storage Volume in Using Oracle Compute Cloud Service (IaaS).
2. Download the sample orchestration, corente-guest-launchplan.json, to

create a guest instance. This sample orchestration is included in the
greconf_orchsamples.zip file at the following location:
Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud 5-1

3. Modify values in the sample orchestration file based on your environment. While
modifying corente-guest-launchplan.json, take care of the following
requirements:
• Ensure that you create the guest instance using the bootable storage volume
you have created in step 1.
• The client instance and the gateway instance should be in the same security
list.
In this example, a Compute instance in the Corente network is assigned to an
internal security list, csg-internal.
• Ensure that the ha_policy of the orchestration is set to active.
• The GRE tunnel addresses (both local and cloud gateway) should not be in the
10.x.x.x subnet.
• For csg-tunnel-address, set the value as the cloud gateway’s tunnel

address that was specified during configuration in the App Net Manager. The
default value is 172.16.254.1.
4. Upload the modified orchestration to Oracle Compute Cloud Service, and then
start the orchestration. For information about uploading and starting an
orchestration, see Managing Orchestrations in Using Oracle Compute Cloud Service
(IaaS).
5. After creating the instance ensure that the instance is running.
6. Note the DNS hostname assigned to the cloud gateway instance. You will need
this hostname later, when running the configuration script. This is needed for HA.
The cloud gateway hostname is automatically populated, and should point to the
private IP address of the cloud gateway.
Sample Orchestration with Corente Tunnel Arguments
{
"name": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest-instance",
"label": "corente-guest",
"description": "Corente guest instance",
"oplans": [
{
"obj_type": "launchplan",
"label": "corente-guest-launchplan-1",
"ha_policy: "active",
"objects": [
{
"instances": [
{
"name": "/Compute-myIdentityDomain/john.doe@example.com/corente-guest",
"networking": {
"eth0": {
"model": "e1000",
"dns": [
"corente-guest"
],
"seclists": [
"/Compute-myIdentityDomain/john.doe@example.com/csg-internal"
],
"nat": "ippool:/oracle/public/ippool"
}
},
"boot_order": [
1
],
"storage_attachments": [
{
"index": 1,
"volume": "/Compute-myIdentityDomain/john.doe@example.com/corente-
guest-boot-vol"
}
],
"label": "corente-guest",
"shape": "oc3",
"attributes": {
"userdata": {
"corente-tunnel-args": "--local-tunnel-address=172.16.1.4 --csg-
hostname=c9fcb5.compute-acme.oraclecloud.internal. --csg-tunnel-address=172.16.254.1
--onprem-subnets=10.2.3.0/24,10.3.2.0/24"
}
},
"sshkeys": [
"/Compute-myIdentityDomain/john.doe@example.com/adminkey"
]
}
]
}
]
}
]
}
Create a GRE Tunnel

To create a GRE tunnel on your newly created Oracle Compute Cloud Service
instances:
1. SSH to the instance where you want to create a GRE tunnel.
2. Download the oc-config-corente-tunnel script onto this instance. This

script is included in Greconf_orchsamples.zip file which is available at the
following location:
3. Extract the contents of the greconf_orchsamples.zip file.
4. After extracting, copy the oc-config-corente-tunnel file from the Config

and Orchestration directory to the /usr/bin directory.
Note:
You'll need superuser privileges to copy to /usr/bin.
5. Make the oc-config-corente-tunnel script executable:

sudo chmod 550 oc-config-corente-tunnel

6. Run the oc-config-corente-tunnel script:

sudo bash /usr/bin/oc-config-corente-tunnel
7. Add the following entry to /etc/rc.local so that the script runs automatically
every time the instance boots:
bash /usr/bin/oc-config-corente-tunnel
About Configuration Script Arguments

The oc-config-corente-tunnel configuration script accepts arguments from the
userdata attribute corente-tunnel-args in a launch plan (refer to corente-
guest-launchplan.json). The value of that attribute should be in the form of a
command line with the following syntax (showing only required arguments):
--local-tunnel-address=<addr> --csg-hostname=<hostname> --csg-tunnel-address=<addr>
--onprem-subnets=<subnet_cidrs>
Parameter Description Example
csg-hostname Host name of the cloud gateway instance. c9fcb5.compute-

Mandatory. acme.oracleclou
d.internal.
No default value.
No limit.
The value for this parameter should follow the
format:
hostName.compute-
myIdentityDomain.oraclecloud.internal
.
csg-tunnel- Cloud gateway’s tunnel address that was specified 172.16.254.1

address during configuration in the App Net Manager. The
default value is 172.16.254.1.
Mandatory.
local- GRE tunnel address of the Compute instance. 172.16.1.4

tunnel- Local address of the GRE tunnel to Corente
address Services Gateway instance on the Cloud. Specify
the IP address that you want to assign to the GRE
interface on the Linux instance. This IP address
will be used to communicate with Corente Services
Gateway, instances in your on-premise
environment, and other IP addresses you define.
While setting up the App Net Manager, you would
have specified an IPv4Subnet. Specify one IP
address from this range of IP addresses.
Mandatory.
No default value.
Configuring a GRE Tunnel on Running Linux Instances
onprem- List of on-premise networks participating in VPN. 10.2.3.0/24,10.

subnets This should be in the form of one or more comma- 3.2.0/24
separated CIDRs.
Mandatory.
No default value.
No limit.
ping-count Number of pings of the cloud gateway tunnel end 5

point in one iteration of health check.
Optional.
Default is 3.
2 is minimum.
ping-timeout Timeout for each of the pings to the cloud gateway 1

(in seconds).
Optional.
Default is 2.
1 is minimum.
ping- Interval between pings to the cloud gateway (in 3

interval seconds).
Optional.
Default is 10.
3 is minimum.
Configuring a GRE Tunnel on Running Linux Instances

You can set up a GRE tunnel to the Corente Services Gateway on existing instances of
Oracle Compute Cloud Service instances. You can use the procedure described in this
chapter to set up a GRE tunnel on running Linux instances without having to restart
orchestrations.
Ensure that the service instance on Oracle Cloud (where the GRE script runs) and the
cloud gateway instance (the one it is paired with) are part of the same security list.
Do the following:
1. Go to the /usr/bin directory.
2. Ensure that the script is executable. Run the following command:

sudo chmod 550 oc-config-corente-tunnel
3. Run the following commands:

$ sudo bash
$ nohup ./oc-config-corente-tunnel --local-tunnel-address=172.16.2.2 --csg-
hostname=csgdbaas-1.root.oraclecloud.internal --csg-tunnel-address=172.16.254.1
--onprem-subnets=192.168.39.0/24 &
Note: You may have to wait up to 1 minute before the GRE tunnel is up.

Configuring a GRE Tunnel on a Windows Instance
For a description of the configuration parameters, see About Configuration Script

Arguments.
Note: Customize the command-line parameters, as needed (same syntax as

the corente-tunnel-args userdata attribute). You must run the script
in background, as the script won’t exit.
4. Verify that the GRE tunnel is functional by running the ping command to any
live IP address within your data center network directly.
5. Add the following entry to the /etc/rc.local file.

bash /usr/bin/oc-config-corente-tunnel --local-tunnel-address=172.16.2.2 --csg-
hostname=csgdbaas-1.root.oraclecloud.internal --csg-tunnel-address=172.16.254.1
--onprem-subnets=192.168.39.0/24
Note: Customize the command-line parameters, as needed. The values of the

parameters should match what you entered in Step 3.

To complete the VPN setup, configure a GRE tunnel between your Windows instance
and Corente Services Gateway instance.
Topics
• Creating a Windows Server 2012 R2 Client Instance
• Creating a GRE Tunnel on a Windows Guest Instance
Creating a Windows Server 2012 R2 Client Instance

Follow the instructions provided in this section to create a Windows guest instance.
If you want to create a GRE tunnel on an existing Windows instance, skip this section
and see Creating a GRE Tunnel on a Windows Guest Instance.
To create a guest Windows instance:
1. Identify the Windows image that you are going to use while creating the instance.
Ensure that you use an image of Windows Server 2012 R2 as only Windows
Server 2012 R2 with a hotfix applied supports GRE tunneling. Windows images
are available in Oracle Cloud Marketplace.
2. Create your Windows guest instance using the Create Instance wizard. See
Workflow for Creating Your First Windows Instance in Using Oracle Compute
Cloud Service (IaaS). Take care of the following requirements:
• By default, High Availability (HA) policy is set to active. Retain this value.
• By default, RDP is enabled. Retain this value to use RDP to access your
Windows instance.
3. After creating the instance ensure that the instance is running.
4. Enable RDP access to your Windows instance. RDP access to your Windows
instance is not enabled by default. See Accessing a Windows Instance Using RDP
in Using Oracle Compute Cloud Service (IaaS).
After creating the instance, create a GRE tunnel on the instance by using the
instructions provided in Creating a GRE Tunnel on a Windows Guest Instance.
Creating a GRE Tunnel on a Windows Guest Instance

To complete the VPN setup, create a GRE tunnel between your guest Windows
instance in Oracle Cloud and your Corente Services Gateway instance in Oracle
Cloud. oc-config-corente-tunnel.ps1 is a Windows PowerShell script which
establishes the GRE tunnel between your Corente Services Gateway and your guest
Windows instance in Oracle Cloud. The script continuously monitors the health of the
GRE tunnel and re-establishes the tunnel on failure. You can schedule the script to run
in a continuous loop on the instance and reconnects with the CSG instance when the
CSG instance is restarted.
Before creating a GRE tunnel on your guest Windows instance, ensure that you
complete the following prerequisites:
• The Windows guest instance and the Oracle Compute Cloud Service instance on
which you have set up Corente Services Gateway must be part of the csg-
internal security list. The csg-internal security list is created when you run
the secrule.json orchestration that you have defined in Creating an
Orchestration for the Networking Objects. Add the Windows guest instance to the
csg-internal security list. For information about adding an instance to a
security list, see Adding an Instance to a Security List in Using Oracle Compute
Cloud Service (IaaS).
• Ensure that the registry key HKEY_LOCAL_MACHINE\SYSTEM

\CurrentControlSet\services\TCPIP6\Parameters
\DisabledComponents exists and it’s value is set to 0.
Caution:
Improper editing of registry keys can cause serious problems. For the
instructions to edit registry keys, see the Windows documentation.
• Apply the hotfix provided by Microsoft to your Windows 2012 R2 server instance.
For more information about downloading and applying the hotfix, see https://
support.microsoft.com/en-us/kb/3022776.
Ensure that the instance is running after applying the hotfix.
• Remote Access, a PowerShell module, should be available. Enter the following

PowerShell command at the command prompt to display a list of all loaded
modules.
Get-Module -ListAvailable
If you don't see Remote Access in the list, use the Server Manager tool to add
Remote Access as a role. Select the Direct Access and VPN (RAS) role service
while adding the Remote Access role.
• Ensure that you can RDP to your Windows instance. RDP access to your
Windows instance is not enabled by default. To enable RDP access on your

Windows instance, see Accessing a Windows Instance Using RDP in Using Oracle
Compute Cloud Service (IaaS).
Ensure that the Windows instance is running after enabling RDP access.
To create a GRE tunnel on your guest Windows instance after completing the
prerequisites:
1. Download the oc-config-corente-tunnel.ps1 script to your instance. You

can either download the script directly on to the instance, or download the file
elsewhere and copy the file to the instance. To download the file directly on to the
instance, you should log in to the instance.
You can download the script (included in greconf_orchsamples.zip) from
the following location:
2. Enter the following command at the command prompt to run the oc-config-
corente-tunnel.ps1 script. You must provide values for all the parameters. In
the following example, it is considered that the oc-config-corente-
tunnel.ps1 script is available at C:\. When you run this command, specify the
complete path of the location where you have downloaded the script file.
Syntax
powershell —File C:\oc-config-corente-tunnel.ps1 Name-of-
tunnel CSG-hostname GRE-tunnel-destination-prefix GRE-local-
IPAddress Remote-IPv4Subnet:Metric Prefix-length
Example: Creating a GRE tunnel by specifying a single remote route
powershell —File C:\oc-config-corente-tunnel.ps1 GREtoCSG
c9fcb5.compute-acme.oraclecloud.internal. 172.16.254.1/32
172.16.31.9 192.168.10.0/24:100 16
Example: Creating a GRE tunnel by specifying multiple remote routes
powershell —File C:\oc-config-corente-tunnel.ps1 GREtoCSG
c9fcb5.compute-acme.oraclecloud.internal. 172.16.254.1/32
172.16.31.9 “192.168.10.0/24:100,192.168.133.0/24:100” 16
The script runs checks to ensure that the prerequisites are met, and then
establishes a GRE tunnel. The time taken to establish the tunnel varies depending
on your environment. Do not close or quit the terminal window while the script is
running.
Note:
If you provide incorrect parameters, stop the script, and then enter the correct
parameters to run the oc-config-corente-tunnel.ps1 script.
Parameter and descriptions
Name-of-tunnel An alphanumeric string GREtoCSG

representing a name for the
GRE tunnel between the guest
Windows instance in Oracle
Cloud and the Corente Services
Gateway instance in Oracle
Cloud.
CSG-hostname DNS hostname of the Corente c9fcb5.compute-

Services Gateway instance. acme.oraclecloud.intern
The value for this parameter al.
should follow the format:
hostName.compute-
myIdentityDomain.oracle
cloud.internal.
GRE-tunnel- Route to Corente Services 172.16.254.1/32

destination- Gateway tunnel address on
prefix CSG side. Also known as csg-
tunnel-address. Specify the
cloud gateway’s tunnel address
that was provided during
configuration in App Net
Manager. The default value is
172.16.254.1. However, this
value can be changed using
App Net Manager.
GRE-local— Local address of GRE tunnel to 172.16.31.9

IPAddress Corente Services Gateway
instance on Windows image
side. This is also known as
local-tunnel-address. Specify
the IP address that you want to
assign to the GRE interface on
the Windows instance. This IP
address will be used to
communicate with Corente
Services Gateway, instances in
your on-premise environment,
and other IP addresses you
define.
While setting up the App Net
Manager, you would have
specified an IPv4Subnet.
Specify one IP address from
this range of IP addresses.

Remote- Remote-IPv4Subnet are 192.168.10.0/24:100

IPv4Subnet:Metr customer reachable routes or 192.168.122.0/24:100,
ic on-premises subnets. You can 192.168.133.0/24:100
also provide a comma-
separated list of multiple
remote subnets.
Metric: Routing metrics are
used for precedence when
multiple routes exist to a single
destination. In this case there is
only one route. However, you
must provide an integer value.
Prefix-length Prefix length for the subnet to If you specify 172.16.31.9 as

which the GRE-local— the value for GRE-local—
IPAddress belongs. IPAddress and the
IPv4Subnet to which GRE-
local—IPAddress belongs is
172.16.31.0/16, then the
Prefix-length is 16.
3. To automatically set up the GRE tunnel to Corente Services Gateway every time
the system restarts, use the Task Scheduler in Windows to run the following
command on system restart. The example provided here is uses sample values.
Specify values for the parameters based on your environment.
cmd /C powershell —File C:\oc-config-corente-tunnel.ps1 GREtoCSG c9fcb5.compute-
acme.oraclecloud.internal. 172.16.254.1/32 172.16.31.9 192.168.10.0/24:100 16>>c:
\corente.log 2>>&1
For more information about using Task Scheduler to run a PowerShell script, see
Windows documentation.
Note:
When the system restarts, the Remote Access service may not be available
immediately. You might find a few error messages logged in the C:
\corente.log file to indicate that Remote Access service is not available.
However, the script runs continuously and the GRE tunnel is established
when the Remote Access service becomes available.

Oracle Network Cloud Service VPN Corente Shared Network

Uploaded by

Copyright:

Available Formats

Oracle Network Cloud Service VPN Corente Shared Network

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Oracle Network Cloud Service VPN Corente Shared Network

Uploaded by

Copyright:

Available Formats

Oracle® Cloud

Setting Up VPN from Corente Services Gateway On-Premises to

Primary Author: Sylaja Kannan

Contributors: Anirban Ghosh, Kumar Dhanagopal, Kunal Rupani, Neeraj Sharma

1 About Setting Up VPN Using Corente Services Gateway .................................. 1-1

2 Setting Up Corente Services Gateway in Your Data Center

3 Setting Up Corente Services Gateway on Oracle Cloud

4 Establishing Partnership Between Your On-Premises Gateway and Cloud Gateway

5 Configuring a GRE Tunnel on a Guest Instance in Oracle Cloud

monospace Monospace type indicates commands within a paragraph, URLs, code in

• Understanding the Architecture and Key Components of the Solution

• Workflow for Setting Up VPN Using Corente Services Gateway

• VPN access through a third-party gateway in your data center to

• VPN access through a third-party gateway or Corente Services Gateway

– Setting Up VPN From a Corente Services Gateway to an IP Network in

– Setting Up VPN From a Third-Party Gateway to an IP Network in Oracle

Understanding the Architecture and Key Components of the Solution

About Setting Up VPN Using Corente Services Gateway 1-1

• Corente Services Gateway: Corente Services Gateway acts as a proxy that

– The first gateway (referred to as on-premises gateway) is installed on a host in

– The second gateway (referred to as cloud gateway) is installed on an Oracle

Task Component in the For more Information

Create and configure your It’s a prerequisite. See Getting an Oracle.com

Obtain a trial or paid It’s a prerequisite. See How to Begin with

Set up a Corente Services Corente Services Gateway See Setting Up Corente

Set up Corente Services Corente Services Gateway See Setting Up Corente

About Setting Up VPN Using Corente Services Gateway 1-3

Establish partnership This is the dashed line See Establishing Partnership

Configure a GRE tunnel on GRE tunnel from Oracle See:

• Preparing Your Environment

• Preparing Your Host

• Downloading and Installing the Corente Services Gateway

Preparing Your Environment

2. Run the following commands:

a. set path: PATH=$PATH:/usr/sbin:/sbin

Preparing Your Host

Setting Up Corente Services Gateway in Your Data Center 2-1

• If you’re using a physical node/box, make sure that virtualization is enabled

• If you’re using a virtual machine, verify support for virtualization as follows:

1. Log in as a root user.

2. Run the following command:

If this command fails with fatal errors, it indicates some problem.

3. Run the following command:

egrep '^flags.*(vmx|svm)' /proc/cpuinfo

If this command produces no output, it indicates some problem.

4. Use the following command to see whether /var/log/messages contain

# cat /var/log/messages | grep -i kvm

5. If your hardware/BIOS does not support KVM, contact your IT administrator to

1. If the /etc/avahi/avahi-daemon.conf file exists on your host, modify the file

Change #disallow-other-stacks=no to #disallow-other-stacks=yes.

Note: If the /etc/avahi/avahi-daemon.conf file is not present, you can

grep qemu /etc/group

grep qemu /etc/passwd

If the group and user are not found, create them:

a. Add a group qemu if there isn’t one:

b. Check /etc/group, and change the group ID of qemu to 107.

# groupmod -g 107 qemu

c. Add user qemu to group qemu if there isn’t one: