Public CIDRs over VPN to Oracle Cloud Infrastructure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Public CIDRs over VPN to Oracle Cloud Infrastructure

L1 Bithead

I have setup a valid VPN connection to Oracle Cloud Infrastructure leveraging to IPSEC tunnels and we can route traffic like ICMP with no problem. When trying to access public cloud services via the VPN with private transit routing through the tunnel into the Oracle Virtual Cloud Network, we simply get no response and se no traffic going over the tunnel.

 

Effectively we have created static routing rules for the 2 public CIDR routes for the cloud service, and specified the next hop as the Oracle side of the IPSEC tunnels. We've also tried with next hope set for None but the result is the same.

 

Anyone have any insight into sending public traffic across a VPN tunnel successfully?

1 accepted solution

Accepted Solutions

L4 Transporter

Hello @coltsfanatic07 

PaloAlto firewall provides route-based VPN compared to the legacy ASA firewalls which provide policy-based VPN (e.g., Access List to match the traffic).

The routing in the PaloAlto firewall for the affected CIDR traffic should be as below:
destination = CIDR

interface = IPSec tunnel interface

next hop = None

The above routing is sufficient to route the traffic to the IPSec tunnel, given that necessary security policies are in place to allow the traffic.

If the remote side is a policy-based VPN, then you may need to add the required proxy-IDs in the IPSec tunnel configuration.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0

 

Anoopkumar
Network Security Engineer

View solution in original post

6 REPLIES 6

L4 Transporter

Hello @coltsfanatic07 

IPSec tunnel can carry any IP traffic irrespective of whether the payload contains public IPs or private IPs.

You may want to check how the routing is configured on both sides and also whether the necessary security policies are in place to allow the required traffic.

 

Anoopkumar
Network Security Engineer

L1 Bithead

Thank you @akuzhuppilly for your reply. I appreciate your patience as I have no familiarity or access to the Palo Alto equipment in use as its a customers environment.

 

We have to active tunnels configured. Our tunnel interfaces to not have explicit IP addresses associated to them. So, we have tried two different static routes. The first, is using the CIDR as the destination, leveraging the tunnel interfaces, and then setting the next hop to "none". We also attempting to do the same, but set the next hop to the explicit IP Address of the peers tunnel IP address. Do either of those approaches seem correct?

 

I've analyzed the OCI rules and they suggest they are configured appropriate for security and routing for on prem traffic to leverage the gateway appliance to access the appropriate CIDR. The only other caveat that comes to mind is that OCI Site-to-Site VPN uses Asymmetric Routing by default. As previously mentioned we see no problem with ICMP traffic so I don't think that is an issue. The source traffic is also not being NAT'ed, so that was another one of my concerns from a security perspective on the remote side.

L4 Transporter

Hello @coltsfanatic07 

PaloAlto firewall provides route-based VPN compared to the legacy ASA firewalls which provide policy-based VPN (e.g., Access List to match the traffic).

The routing in the PaloAlto firewall for the affected CIDR traffic should be as below:
destination = CIDR

interface = IPSec tunnel interface

next hop = None

The above routing is sufficient to route the traffic to the IPSec tunnel, given that necessary security policies are in place to allow the traffic.

If the remote side is a policy-based VPN, then you may need to add the required proxy-IDs in the IPSec tunnel configuration.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0

 

Anoopkumar
Network Security Engineer

This is great @akuzhuppilly. It confirms what I thought I researched. So we do have static routing on the remote peer to allow all of the network CIDRs through. Its possible there are some additional security rules that are somehow not allowing it, but confirming the static routes on the PaloAlto side is great.

 

I'll accept your answer. Can you tell me if PAN > 8 has any issues with asymmetric routing at all? Also, given that we configure the static route, are there any other security settings on the PaloAlto side that would still block the traffic potentially?

L4 Transporter

Hello @coltsfanatic07 

 

Asymmetric routing can occasionally lead to dropped traffic due to firewall settings. To determine if packet drops are occurring, consider performing a packet capture. You can refer to the following link for assistance:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSHCA0

 

If you suspect that the Palo Alto Firewall might be dropping valid traffic, the recommended approach is to conduct a packet capture and review the global counters. This will provide a clearer understanding of the situation. For guidance, you can visit:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloNCAS

Anoopkumar
Network Security Engineer

L1 Bithead

Awesome. Thanks again for all of your help.

  • 1 accepted solution
  • 2596 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!