Oracle Cloud Platform Corente VPN for PaaS & IaaS Step-by-Step Deployment Version 1 03.06.2016
Oracle Cloud Platform - Corente VPN for PaaS & IaaS
Copyright © 2016, Oracle and/or its affiliates. All rights reserved 2
TABLE OF CONTENTS
Introduction ............................................................................................................................................... 3
Chapter 1. Understanding the Architecture ................................................................................................ 5 1.1 Architecture of the solution .................................................................................................................... 5 1.2 Key components of the solution ............................................................................................................. 5
Chapter 2. Setting up Corente Services Gateway on-premise ..................................................................... 7 2.1 Accessing the APP Net Manager Lite ...................................................................................................... 7 2.2 Login to the APP Net Manager Lite ......................................................................................................... 8 2.3 Creating the location for the on-premise gateway ................................................................................. 8 2.4 Creating the Corente VPN virtual machine ........................................................................................... 19
Chapter 3. Setting up Corente Services Gateway on Oracle Cloud ............................................................ 29 3.1 Creating the Corente VPN virtual machine ........................................................................................... 29 3.2 Creating the location for the on-cloud gateway ................................................................................... 32 3.3 Creating the Corente VPN instance ...................................................................................................... 55
Chapter 4. Configure the partnership between gateways......................................................................... 62 4.1 Enabling partnership for the on-cloud gateway ................................................................................... 62 4.2 Enabling partnership for the on-premise gateway ............................................................................... 67
Chapter 5. Testing the VPN connection .................................................................................................... 73
Appendix .................................................................................................................................................. 77
Oracle Cloud Platform - Corente VPN for PaaS & IaaS
Copyright © 2016, Oracle and/or its affiliates. All rights reserved 3
INTRODUCTION
This paper describes how to set up Corente Services Gateway for secure access to your Oracle Compute Cloud Service, Oracle Java Cloud Service and Oracle Database Cloud Service instances.
Oracle’s Corente Cloud Services Exchange (Corente CSX) is a cloud-based software-defined networking (SDN) solution that enables distributed enterprises to deliver trusted connectivity services to and from any location with less complexity, in significantly less time, and at a greatly reduced cost, when compared to more-traditional approaches. Corente CSX enables organizations to transform their wide area network (WAN) into a cost-effective, agile network.
Corente CSX relies on the Oracle-hosted Service Control Point (SCP), which is a centralized service management platform that provides secure policy-based service brokering, mediation, and virtual network orchestration.
Companies want to connect applications securely into private networks over the internet and facilitate hybrid cloud services to seamlessly connect applications running locally into the cloud. Today many of these tasks require significant planning, acquisition, and integration efforts, often requiring expensive networking technology and equipment that are often difficult to manage.
A component of Corente CSX, the Corente Services Gateway (CSG) is a distributed virtual appliance located at the network edge that provides secure endpoints for virtual private networks over any IP networks with zero-touch installation. A Services Gateway is installed at each branch or partner location, and creates a secure end-to-end connection for application traffic. The Services Gateways also maintain separate out-of-band connections with the SCP database for monitoring, administration, and logging.
Services Gateway software can be installed on commodity x86 bare metal hardware, on supported hypervisor virtual machines (VMs), or on local Oracle VM VirtualBox VMs (Windows, Linux, and Solaris) where local applications can be deployed, managed, and monitored.
The App Net Manager service-portal in Corente CSX is a web-based application that provides centralized, role-based access to service lifecycle management tools for service subscribers, including provisioning, managing, and monitoring of their global private networks. The network infrastructure including gateway configuration and deployment is managed from a single interface through App Net Manager. In addition, the portal allows administrators to configure system policies; create fine-grained access policies for users, applications, servers, and other network resources; manage all connections through the simplicity of a drag-and-drop user interface; set thresholds for alerts; monitor real-time status of resources; and view historical reports.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
4 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
App Net Manager portal for consolidated service management and monitoring:
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
5 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Chapter 1. Understanding the Architecture
1.1 Architecture of the solution
Here is a quick overview of the architecture of the VPN solution being offered to Oracle Compute Cloud Service, Oracle Java Cloud Service, and Oracle Database Cloud Service (DBCS) customers.
1.2 Key components of the solution
• App Net Manager Service Portal: App Net Manager is a secure web portal that you use to create, configure, modify, delete, and monitor the components of your Corente-powered network.
• Corente Services Gateway: Corente Services Gateway acts as a proxy that facilitates secure access and data transfer in the VPN solution.
The solution consists of two separate installations of Corente Services Gateway:
• The first gateway (referred to as on-premise gateway) is installed on a host in your on-premises data center. The gateway may be run as a guest VM on your physical host.
Note: you should set up the on-premises gateway manually on a host with Internet access in your data center. One edge of this on-premises gateway connects to the Internet to establish connectivity with the Corente Services Gateway (the first one) installed in Oracle Cloud and the other edge of the on-premises gateway communicates with hosts or virtual machines of your users and administrators in your private network.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
6 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Your administration can access the App Net Manager service portal only via a computer connected to the Corente Services Gateway installed in your data center. Direct access to App Net Manager — without the Corente Services Gateway in your data center — is not permitted.
• The second gateway (referred to as cloud gateway) is installed on an Oracle Compute Cloud Service instance running on Oracle Cloud.
Note: you should manually set up and configure a Generic Routing Encapsulation (GRE) tunnel from your Oracle Compute Cloud Service instances (virtual machines) to the Corente Services Gateway running on another Oracle Compute Cloud Service instance.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
7 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Chapter 2. Setting up Corente Services Gateway on-premise
2.1 Accessing the APP Net Manager Lite
In order to create a location of a Corente VPN Gateway you will have to use a web-browser that meets the requirements for Corente network administration (see below) and access the administration homepage: http://www.corente.com/web/
To access the administration homepage you will need Oracle’s Java Web Start and version 1.5.0_10 or later of Java Runtime Environment (JRE).
Note: version 1.6.0 of the JRE may not be compatible with older versions of Linux. If your OS does not support 1.6.0 or does not appear to be compatible, you must download an earlier version (1.5.0_10 or 1.5.0_11).
If you do not yet have an active location in your Corente network, click the hyperlink for App Net Manager Lite. App Net Manager Lite will not allow you enable more than the basic location gateway options; however you can add additional functionality to your gateway once it has been activated.
If you already have an active location gateway, click the hyperlink App Net Manager. After the first location gateway has been activated in your Corente network, all administrative activities must take place across a secure tunnel using App Net Manager.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
8 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
2.2 Login to the APP Net Manager Lite
Login to the APP Net Manager Lite using the Corente VPN credentials you’ve received.
2.3 Creating the location for the on-premise gateway
Navigate to File - Wizards - Location in order to create the location of the first Corente VPN Gateway.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
9 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Selecting Location Wizard form the File menu launches the location wizard which takes you step by step through the process of creating a location gateway with basic functionality.
Click Next to start configuring the location.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
10 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Enter the alphanumeric identifier for the location gateway that you are creating (in our case it is “corentegw-onprem”) and click Next.
Enter the address and time zone of the physical location of this location gateway and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
11 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Select your automatic reboot preferences for the location gateway and click Next.
Select your maintenance time preferences for the location gateway and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
12 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Choose the appropriate configuration option for your location gateway:
• A Peer configuration for a location gateway requires the use of only one Ethernet port.
• An Inline configuration for a location gateway requires the use of two Ethernet ports – one facing your internal network and one facing the external network (i.e. Internet). All traffic between the internal and external network flows through the location gateway.
For the on-premise gateway the configuration has to be set to “Inline Configuration”. Click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
13 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Select how the Inline location gateway’s IP address, Subnet Mask and Default Gateway will be assigned:
• DHCP – select this option to allow a DHCP server to automatically assign and IP address, Subnet Mask and Gateway address to this location.
• Static – when this option is selected you must manually enter addressing information for the location gateway’s Ethernet interface.
• PPPOE – select this option if your location gateway will use PPPOE to connect to the Internet.
In our case we will select DHCP. Click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
14 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Some ISPs require a particular name be present when a request for a DHCP address is made. If applicable you may enter that name here.
If you don’t have a DHCP client name leave the field empty and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
15 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Enter the IP address and Subnet Mask that you want to assign to the LAN interface of the location gateway and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
16 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Select the “Get DNS Dynamically” option if the IP address of the DNS servers will be provided by a DHCP server when it serves the location gateway’s IP address, Subnet Mask and Default Gateway address. Click Next.
Review the information provided and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
17 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click Finish in order to finalize the configuration of the on-premise Corente VPN Gateway.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
18 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Expand the Locations tab and you will see the location of the on-premise Corente VPN Gateway. The orange arrow means the configuration file is ready to be downloaded by the virtual machine with Corente VPN Gateway installed.
To continue installing the new gateway in your domain, you must download the location gateway. Until the icon turns green your location is not yet ready to create secure tunnels to other locations.
Note: Do not download the location configuration from the App Net Manager Lite otherwise you won’t be able to download it again during the gateway installation.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
19 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
2.4 Creating the Corente VPN virtual machine
Download the Corente Services Gateway software (Corente Gateway Image) from one of the following URLs:
http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html
http://www.corente.com/web
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
20 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Create a new virtual machine in Virtual Box for the on-premise Corente VPN Gateway using as an example the following configuration settings.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
21 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Configure the network adapters for the on-premise Corente VPN Gateway (the virtual machine should have two network adapters: one for Internet connection and one the internal communication with the Corente guest virtual machines).
Select Adapter 1 and configure the appropriate connectivity type (in our example it will use the wireless adapter of the laptop and a bridged connection (VirtualBox connects to your installed network card and exchanges network packets directly, circumventing your host operating system's network stack).
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
22 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Select Adapter 2 and set it to perform internal connectivity inside the LAN (select Internal Network)
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
23 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Edit the virtual machine settings by adding the downloaded image (.iso) to the optical drive in order to boot from it.
Power-on the virtual machine to start the installation of the Corente VPN Gateway and type yes.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
24 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Wait for the installation to complete and remove the .iso image from the optical drive of the virtual machine. Reboot the machine after that.
Highlight Download Config and click Enter.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
25 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Type in the download site (www.corente.com) and select the appropriate connection type that best suits your infrastructure (DHCP, PPPoE or Manual Configuration). Click Next.
Type in the Corente VPN Gateway credentials and click Continue.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
26 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Switch to the APP Net Manager Light Service Portal and observe that the location has modified its icon to a grey background which means the configuration has been downloaded by the on-premise Corente VPN Gateway.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
27 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
When the Corente virtual machine has completed downloading the configuration from the APP Net Manager the login screen appears.
Note: The Corente Gateway is a blackbox. You won’t be able to log into it.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
28 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Switch to the APP Net Manager Service Portal and see that the location has disappeared. This is the expected behavior.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
29 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Chapter 3. Setting up Corente Services Gateway on Oracle Cloud The following steps will be done from a Linux machine connected to the internal LAN of the on-premise Corente location.
3.1 Creating the Corente VPN virtual machine
Create a new virtual machine in Virtual Box. This VM will play the role of the Corente guest.
Navigate to the VM Settings - Network and choose the same adapter settings as you have used for the Corente VPN Gateway machine as depicted in the pictures below.
Select Adapter 1 and configure it to perform internal communication inside the LAN (select Internal Network).
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
30 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Select Adapter 2 and configure it to perform external communication (in this case we used a bridged adapter).
Download an Oracle Linux distribution from https://edelivery.oracle.com/linux and mount it to the optical drive of the newly created virtual machine.
Power-on the virtual machine and perform the installation of the operating system.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
31 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
When the installation process completes, log in to the virtual machine and check the following:
a. Type ifconfig eth0 and make sure that the machine is on the same subnet as the Corente VPN Gateway
b. Type netstat –nr and confirm the default gateway is the IP address of the Corente VPN Gateway
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
32 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
3.2 Creating the location for the on-cloud gateway
Download the App Net Manager from http://corente.com/web
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
33 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Login to the App Net Manager with the same Corente VPN credentials used when you configured the on-premise gateway.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
34 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Expand the Locations tab and see that the on-premise gateway is already configured.
Navigate to File - Wizards - Location and configure the second gateway (corentegw-oncloud).
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
35 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Enter the alphanumeric identifier for the location gateway that you are creating (in our case it is “corentegw-oncloud”) and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
36 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Enter the address and time zone of the physical location of the new location gateway and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
37 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Select your automatic reboot preferences for the location gateway and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
38 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Select your maintenance time preferences for the location gateway and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
39 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
For the on-cloud gateway the configuration has to be set to “Peer Configuration”. Click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
40 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Select the type of the interface that is going to be used for the WAN connection and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
41 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Some ISPs require a particular name be present when a request for a DHCP address is made. If applicable you may enter that name here.
If you don’t have a DHCP client name leave the field empty and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
42 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Select the “Get DNS Dynamically” option if the IP address of the DNS servers will be provided by a DHCP server when it serves the location gateway’s IP address, Subnet Mask and Default Gateway address. Click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
43 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
User Groups let you identify groups of machines on the local network (computers, servers, printers) that will be allowed to participate in your Corente network.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
44 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
If you would like you can choose an optional Firewall Policy that will apply to all traffic to and/or from the Default User Group. Click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
45 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click Add to configure the address range for the Default User Group.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
46 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Default User Group Configuration:
• Include – select this option to specify a range that will be included in the group
• Exclude – if there are IP addresses or ranges of addresses within the subnets that you have already Included that you do not want to be in your Default User Group, you can use the Exclude Range option to remove these addresses.
Select the Include Subnet and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
47 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Type in the subnet range for the cloud instances that are going to use this gateway.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
48 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
You must now set the appropriate Oubound NAT settings for this subnet. In this case we will use Permitted. Click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
49 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Review the configuration details and click Next.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
50 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click Finish to complete the configuration of the Corente VPN on-cloud gateway.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
51 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click on each of the two gateways and see that the both have to connections (one for the internal connection to the guest VMs/instances and one for the Internet access).
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
52 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Open a terminal window and enter the following command: uuidgen
Return to the APP Net Manager Service Portal and edit the on-cloud gateway in order to enter the above generated UUID.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
53 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Enable “Zero Touch Configuration” and enter your own UUID in the Unique Identified field.
Click OK button at the bottom of the Add Location screen. You will return to the main App Net Manager screen, and the Save button at the top of the screen will be active. Note that the red square with yellow center to the upper left of the location icon; it indicates that there are unsaved changes.
The UID HAS TO BE UNIQUE for each OPC Corente Gateway. One on-prem Corente Gateway can have X number of OPC GW partners. You will have to use this UUID in the csglaunchplan.json JSON file that you will create in a later step.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
54 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click Save at the top of the App Net Manager screen. A Save All Changes pop-screen is displayed. Click Start at the bottom of this screen to save the configuration.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
55 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
3.3 Creating the Corente VPN instance
Download the orchestration examples from http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html
Sign in to the Oracle Cloud using the following address: https://computeui.us.oraclecloud.com/
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
56 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Create an IP reservation for the gateway.
\
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
57 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Notes:
• Update the ID and username above in ALL files to match your current OPC environment. • Update csg-nat-ip secipentries to match your RESERVED NAT IP • Make sure you run “uuidgen” and update the uid info above as well. The UID needs to be
unique for each OPC gateway you’re provisioning. • DO NOT start the JSON Orch files till you have created a Corente OPC gateway and
inserted its unique ID into the gateway configuration with App Net Manager utility. Suggest using the ANM Wizard for it. Once the new OPC Gateway is created along with its unique UUID and you are seeing the download icon then you can go ahead and start the JSON Orchs
Edit the secrule.json file that you previously downloaded with the reserved IP address and with your identity domain and username.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
58 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Upload the orchestration.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
59 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Edit the storage_vol1.json file that you previously downloaded with your identity domain, username and location of the Corente gateway image.
Upload the orchestration.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
60 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Edit the csglaunchplan.json file you previously downloaded with your identity domain, username, location of the Corente gateway image and the UUID you used when configured the corentegw-oncloud.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
61 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Upload the orchestration.
Start the orchestration in the following order:
secrule.json
storage_vol1.json
csglaunchplan.json
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
62 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Chapter 4. Configure the partnership between gateways
4.1 Enabling partnership for the on-cloud gateway
Once the Cloud gateway has been started, the Corente configuration file will be downloaded and the GW icon will be changed in the App Net Manager. Now, you’re ready to start the Partnership configuration and it should be done ONLY after both gateways icons are GREEN.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
63 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click on the cloud gateway and select “Approve Partner Connections”.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
64 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Expand the location of the on-premise gateway, select Partners and click on “Add Partner”.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
65 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click Add and accept the default options.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
66 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click OK to complete the partnership configuration.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
67 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
4.2 Enabling partnership for the on-premise gateway
Observe that only half of the configuration is done (we have configured the partnership between the corentegw-onprem and the corentegw-oncloud. We will also have to configure the partnership between the corentegw-oncloud and the corentegw-onprem).
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
68 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Expand the location of the corentegw-oncloud, select Partners and click on “Add Partner”.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
69 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click Add and accept the default options.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
70 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click OK to complete the partnership configuration.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
71 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Now the partnership between the two gateways is complete (see the green connection between them).
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
72 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Click on Locations to see the details for both gateways (when they were creating, IP addressing etc).
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
73 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Chapter 5. Testing the VPN connection
Create a Corente guest instance using two orchestrations (one for creating the boot volume and the other one for creating the actual instance). Edit the orchestrations using your identity domain, username, IPs, SSH key etc.
Boot volume orchestration:
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
74 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Instance launchplan:
Download the GRE configuration script from the following location on any directory on your running Compute Service guest instance:
http://www.oracle.com/technetwork/topics/cloud/downloads/network-cloud-service-2952583.html
After downloading it make sure the script is executable before running it. If it is not run the following command as root:
chmod +x oc-config-corente-tunnel
Run the following commands after changing the IP addresses with your own:
sudo bash
nohup ./oc-config-corente-tunnel --local-tunnel-address=172.16.1.1 --csg-hostname=csg.compute-gse00000632.oraclecloud.internal --csg-tunnel-address=172.16.254.1 --onprem- subnets=192.168.1.0/24 &
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
75 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Note: The csg-tunnel-address is hardcoded to 172.16.254.1, you cannot change it!
Add the following entry to the /etc/rc.local file.
bash /usr/bin/oc-config-corente-tunnel --local-tunnel-address=172.16.1.1 --csg-hostname=csg.compute-gse00000632.oraclecloud.internal --csg-tunnel-address=172.16.254.1 --onprem- subnets=192.168.1.0/24
Note: Customize the command-line parameters, as needed (same syntax as the corente-tunnel-args user data attribute). You must run the script in background, as the script won’t exit.
Open a new terminal console and run the following command:
sudo bash oc-config-corente-tunnel
Check the interface configuration by issuing the ifconfig command and see that a gre1 interface was created as a result of running the above script.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
76 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Test the connection between the Cloud guest instance and the on-premise guest virtual machine by issuing the ping command.
Successful ping between 172.16.1.1 (Cloud guest instance) and 192.168.1.2 (on-premise guest virtual machine) using the GRE tunnel.
If you want to add an existing PAAS instance as VPN guest you will have to download the script onto that instance, run it as you’ve seen above and also adding that instance to the internal security list used by the Corente gateway (in our case csg-internal) in order to facilitate the communication between the instance and the gateway.
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
77 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
Appendix
1. Orchestrations used for the corentegw-oncloud.
a. storage_vol1.json
{
"name" : "/Compute-gse00000632/cloud.admin/orch-csg-vol",
"description" : "The bootable volume for a compute instance hosting Corente Gateway",
"oplans" : [
{
"obj_type" : "storage/volume",
"label" : "csg-boot-vol",
"objects" : [{
"name" : "/Compute-gse00000632/cloud.admin/csg-boot-vol",
"size" : "44G",
"properties" : ["/oracle/public/storage/default"],
"bootable" : "true",
"imagelist" : "/oracle/public/gateway9.3.165-nimbula-6"
}
]
}
]
}
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
78 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
b. secrule.json
{
"name": "/Compute-gse00000632/cloud.admin/orch-secrules",
"relationships" : [
{
"oplan" : "secrule-1",
"to_oplan" : "seclist-1",
"type" : "depends"
},
{
"oplan" : "secrule-1",
"to_oplan" : "seciplist-1",
"type" : "depends"
},
{
"oplan" : "secrule-1",
"to_oplan" : "secapplication-1",
"type" : "depends"
}
],
"description": "Secure Rules for Corente Gateway",
"oplans": [
{
"obj_type": "seclist",
"label": "seclist-1",
"objects": [
{
"name": "/Compute-gse00000632/cloud.admin/csg-external"
},
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
79 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
{
"name": "/Compute-gse00000632/cloud.admin/csg-internal",
"policy": "permit"
}
]
},
{
"obj_type": "seciplist",
"label": "seciplist-1",
"objects": [
{
"name": "/Compute-gse00000632/cloud.admin/csg-nat-ip",
"secipentries": ["140.86.0.91/32"]
}
]
},
{
"obj_type": "secapplication",
"label": "secapplication-1",
"objects": [
{
"name": "/Compute-gse00000632/cloud.admin/csg-tcp",
"dport": 551,
"protocol": "tcp"
},
{
"name": "/Compute-gse00000632/cloud.admin/csg-udp",
"dport": 551,
"protocol": "udp"
},
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
80 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
{
"name": "/Compute-gse00000632/cloud.admin/csg-gre",
"protocol": "GRE"
}
]
},
{
"obj_type": "secrule",
"label": "secrule-1",
"objects": [
{
"name": "/Compute-gse00000632/cloud.admin/Public-CSG-TCP-Rule",
"application": "/Compute-gse00000632/cloud.admin/csg-tcp",
"src_list": "seciplist:/oracle/public/public-internet",
"dst_list": "seclist:/Compute-gse00000632/cloud.admin/csg-external",
"action": "PERMIT"
},
{
"name": "/Compute-gse00000632/cloud.admin/Public-CSG-UDP-Rule",
"application": "/Compute-gse00000632/cloud.admin/csg-udp",
"src_list": "seciplist:/oracle/public/public-internet",
"dst_list": "seclist:/Compute-gse00000632/cloud.admin/csg-external",
"action": "PERMIT"
},
{
"name": "/Compute-gse00000632/cloud.admin/Public-CSG-SSH-Rule",
"application": "/oracle/public/ssh",
"src_list": "seciplist:/oracle/public/public-internet",
"dst_list": "seclist:/Compute-gse00000632/cloud.admin/csg-external",
"action": "PERMIT"
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
81 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
},
{
"name": "/Compute-gse00000632/cloud.admin/CSG-Internal-GRE-Rule",
"application": "/Compute-gse00000632/cloud.admin/csg-gre",
"src_list": "seciplist:/Compute-gse00000632/cloud.admin/csg-nat-ip",
"dst_list": "seclist:/Compute-gse00000632/cloud.admin/csg-internal",
"action": "PERMIT"
}
]
}
]
}
c. csglaunchplan.json
{
"name" : "/Compute-gse00000632/cloud.admin/orch-launchplan",
"description" : "Launch plan for Cloud Corente Gateway",
"oplans" : [
{
"obj_type" : "launchplan",
"label" : "csg-launchplan-1",
"objects" : [
{
"instances" : [
{
"shape" : "oc3",
"imagelist" : "/oracle/public/gateway9.3.165-nimbula-6",
"name" : "/Compute-gse00000632/cloud.admin/cloud-csg",
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
82 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
"storage_attachments" : [
{
"index" : 1,
"volume" : "/Compute-gse00000632/cloud.admin/csg-boot-vol"
}
],
"label" : "cloud-csg",
"networking" : {
"eth0" : {
"model" : "e1000",
"dns" : ["csg"],
"seclists" : [
"/Compute-gse00000632/cloud.admin/csg-external",
"/Compute-gse00000632/cloud.admin/csg-internal"
],
"nat" : "ipreservation:/Compute-gse00000632/cloud.admin/corentegw-ip-reservation"
}
},
"boot_order" : [1],
"virtio" : false,
"attributes" : {
"csg" : {
"uid" : "350ecefc-a546-4be2-bb71-d9262629f45c"
}
}
}
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
83 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
]
}
]
}
]
}
2. Orchestrations used for the Corente guest instance.
a. corente-guest-bootvol.json
{ "name" : "/Compute-gse00000632/cloud.admin/corente-guest-bootvol", "description" : "The bootable volume for a Corente guest instance", "oplans" : [ { "obj_type" : "storage/volume", "label" : "corente-guest-vol", "objects" : [{ "name" : "/Compute-gse00000632/cloud.admin/corente-guest-vol", "size" : "25G", "properties" : ["/oracle/public/storage/default"], "bootable" : "true", "imagelist" : "/oracle/public/OL-6.6-20GB-x11-RD" } ] } ] }
Oracle Cloud Platform – Corente VPN for PaaS & IaaS
84 Copyright © 2016, Oracle and/or its affiliates. All rights reserved
b. corente-guest-launchplan2.json { "name" : "/Compute-gse00000632/cloud.admin/corente-guest-instance", "label" : "corente-guest", "description" : "The Corente guest instance", "oplans" : [ { "obj_type" : "launchplan", "label" : "corente-guest-launchplan-1", "objects" : [ { "instances" : [ { "name" : "/Compute-gse00000632/cloud.admin/corente-guest" , "networking" : { "eth0" : { "model" : "e1000", "dns" : ["corente-guest"], "seclists" : ["/Compute-gse00000632/cloud.admin/csg-internal" ], "nat" : "ippool:/oracle/public/ippool" } }, "boot_order" : [1], "storage_attachments" : [ { "index" : 1, "volume" : "/Compute-gse00000632/cloud.admin/corente-guest-vol" } ], "label" : "corente-guest", "shape" : "oc3", "imagelist" : "/oracle/public/OL-6.6-20GB-x11-RD", "attributes" : { "userdata": { "corente-tunnel-args": "--local-tunnel-address=172.16.1.1 --csg-hostname=csg.compute-gse00000632.oraclecloud.internal --csg-tunnel-address=172.16.254.1 --onprem-subnets=192.168.1.0/24"