Oracle Cloud
This tutorial provides information and examples of how to configure IPsec between Cloudflare Magic WAN and an Oracle Cloud Site-to-site VPN.
You need a pre-shared key to establish the IPsec tunnel. You can use Cloudflare Workers to create a random key. For example:
You can use the Workers playground ↗ to try this Worker.
- Go to Networking > Customer connectivity, and select Customer-premises equipment.
- Select Create CPE.
- Select the following settings (you can leave settings not mentioned here with their default values):
- Name: Enter a name.
- IP Address: Enter your Cloudflare anycast IP address.
- CPE vendor information: Select Other.
- Select Create CPE.
- Go to Networking > Customer connectivity, and select Dynamic routing gateways.
- Select Create Dynamic routing gateways.
- Select the following settings (you can leave settings not mentioned here with their default values):
- Name: Enter a name.
- Select Create Dynamic routing gateways.
- Go to Networking > Customer connectivity, and select Site-to-Site VPN.
- Select Create IPsec connection.
- Select the following settings (you can leave settings not mentioned here with their default values):
- Name: Enter a name.
- Customer-premises equipment: Select the CPE you have created in step 1.
- Dynamic routing gateways: Select the DRG you have created in step 2.
- Routes to your on-premises network: Enter a CIDR range you want to route to Magic WAN.
- Tunnel 1
- Name: Enter a name.
- Select Provide custom shared secret.
- Enter the pre-shared key you created in the Prerequisites section.
- IKE version: IKEv2
- Routing type: Static routing
- IPv4 inside tunnel interface - CPE: Enter the internal tunnel IP on the Cloudflare side of the IPsec tunnel. In this example, it is
10.200.1.0/31
. - IPv4 inside tunnel interface - Oracle: Enter the internal tunnel IP on the Oracle side of the IPsec tunnel. In this example, it is
10.200.1.1/31
. This matches with the Cloudflare side for this tunnel.- Select Show advanced options
- Select Phase one (ISAKMP) configuration
- Select Set custom configurations
- Custom encryption algorithm: AES_256_CBC
- Custom authentication algorithm: SHA2_256
- Custom Diffie-Hellman group: GROUP14
- IKE session key lifetime in seconds: 28800
- Select Phase two (IPsec) configuration
- Select Set custom configurations
- Custom encryption algorithm: AES_256_CBC
- HMAC_SHA2_256_128: HMAC_SHA2_256_128
- IPsec session key lifetime in seconds: 14400
- Perfect forward secrecy Diffie-Hellman group: GROUP14
- Tunnel 2
- Repeat the above steps for Tunnel 2. Select the right IP for IPv4 inside tunnel interface - CPE:
10.200.2.0/31
and IPv4 inside tunnel interface - Oracle:10.200.2.1/31
- Repeat the above steps for Tunnel 2. Select the right IP for IPv4 inside tunnel interface - CPE:
- Select Create IPsec connection
After configuring the Oracle Site-to-site VPN connection and the tunnels as mentioned above, go to the Cloudflare dashboard and create the corresponding IPsec tunnel and static routes on the Magic WAN side.
- Refer to Add tunnels to learn how to add an IPsec tunnel. When creating your IPsec tunnel, make sure you define the following settings:
- Tunnel name: Enter a name.
- Interface address: Enter the internal tunnel IP on the Cloudflare side of the IPsec tunnel. In this example, it is
10.200.1.0/31
. - Customer endpoint: The Oracle VPN public IP address.
- Cloudflare endpoint: Enter your Cloudflare anycast IP address.
- Health check type: Request
- Health check direction: Unidirectional
- Health check target: Default
- Pre-shared key: Choose Use my own pre-shared key, and enter the pre-shared key you created in the Prerequisites section.
- Replay protection: Enabled.
- Select Add tunnels.
- Repeat the above steps for Tunnel 2. Chose the same Cloudflare anycast IP address and select the right IP for Interface address:
10.200.2.0/31
The static route in Magic WAN should point to the appropriate virtual machine (VM) subnet you created inside your Oracle Virtual Cloud Network (VCN). For example, if your VM has a subnet of 192.168.192.0/26
, you should use it as the prefix for your static route.
To create a static route:
- Refer to Create a static route to learn how to create one.
- In Prefix, enter the subnet for your VM. For example,
192.xx.xx.xx/24
. - For the Tunnel/Next hop, choose the IPsec tunnel you created in the previous step.
- Repeat the steps above for the second IPsec tunnel you created.