Multi-Path Room - Connect to an OCI VCN
This article explains how to connect an OCI (Oracle Cloud Infrastructure) VCN (Virtual Cloud Network), to a Tehama Multi-Path Room.
Overview
What is a Tehama Multi-Path Room?
A Multi-Path Room is a short way of referring to a Tehama Room that has network access type "Multi-Path". This network access type is capable of securely connecting to networks through IPSec. Multi-Path Rooms support many such connections.
See the Multi-Path Room Connectivity User Guide for more details about Multi-Path Rooms.
Currently, only Standard Rooms support the "Multi-Path" network access type. Domain Join Rooms do not, as yet, support it.
Find out what your Room's network access type is from the Room's connection page. See section View a Room's network access setting in the Room/Desktop Connectivity - Types, Status and Settings guide for details.
What is an OCI VCN?
An OCI VCN is a cloud-based private network hosted in the Oracle Cloud.. See the Oracle article Virtual Cloud Network for more information.
Assumptions
- You have a Tehama organization and are an Admin or Org Manager user in that organization.
- You have an OCI VCN that contains company resources, data, etc., that you want to access, securely, from a Tehama Room.
The process to connect an OCI VCN is divided into three parts:
- Create a Tehama Multi-Path Room
(optional - you can also make a connection to an existing Multi-Path Room.) - Add and Configure a New Connection
- Check the Status of the Connection
Create a Tehama Multi-Path Room
If you want to connect your OCI VCN to one of your existing Tehama Multi-Path Rooms, simply note the Room's name and skip to the next step.
Either:
- Create a new Tehama Multi-Path Room by following the steps found in the Getting Started with Tehama Room Creation guide, under section 'Create and connect a Standard Room', selecting 'Multi-Path' as the Room's Network Access type.
or
- Convert one of your existing Rooms with 'Tehama Gateway' or 'Internet-Only' network access to use 'Multi-Path' network access, by following the steps found in the Room/Desktop Connectivity - Types, Status and Settings guide, under section 'Change a Room's Network Access setting'.
Take note of your Multi-Path Room's name, for use in the creation of your connection.
Information gathered in this step:
- The name of your Multi-Path Room.
Add and Configure a New Connection
Add and configure a connection to your OCI VCN from your Tehama Multi-Path Room as follows:
First, gather some information about your OCI VCN.
Next, create and configure an OCI Site-to-Site VPN connection between your VCN and your Multi-Path Room.
- B) Tehama - Begin Creating a Connection in Your Multi-Path Room
- C) OCI - Create and Configure a Site-to-Site VPN Connection (and Set Up Routing)
- D) Tehama - Complete the Connection in Your Multi-Path Room
Finally, update your Multi-Path Room's firewall rules (and optionally its DNS Filtering) to allow access to resources in your VCN from your Room's Tehama Desktops.
Let's get started with step A.
A) Find Your VCN Info
This step looks up your VCN in the OCI management console to find the information needed from it to connect your VCN to your Multi-Path Room. You should already know either your VCN's name or its subnet or its ID. You will need to know at least one of them before you begin. (Ask your IT dept for assistance, if you do not know either of them.)
Required information for this step:
- Your OCI account login info.
- Identifying data for your VCN, e.g.: name.
- Open a new browser tab, (referred to as the OCI browser tab).
- Log in to your OCI account, in the Oracle Cloud Infrastructure Console (e.g.: U.S. region
https://www.oracle.com/cloud/sign-in.html
). - Select the compartment you expect your VCN to be in, in the dropdown at the top right. (e.g.: "US East: Ashburn").
- Navigate to Networking --> Virtual Cloud Networks. You should see a list of VCNs.
- Find the entry for your VCN in the list (identify by name - if you just know the subnet, then go through the listed VCN's to find the one with your subnet - ask your IT dept for assistance if you do not the name or subnet).
- Select your VCN to view its "Virtual Cloud Network Details" page.
- Take note of your VCN's subnet (value in the IPv4 CIDR Block field). (There can be multiple subnets in a VCN.)
- Take note of your VCN's compartment.
Information gathered/confirmed in this step:
- Your VCN's name.
- Your VCN's subnet.
- Your VCN's compartment.
B) Begin Creating a Connection in Your Multi-Path Room
In this step, we begin the creation of a new connection in your Multi-Path Room, to generate the pre-shared key for the connection. This key is needed for the next step, in OCI.
Required information for this step:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- Open a new browser tab, (referred to as the Tehama browser tab).
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room you want to connect to your OCI VCN. You will see the page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Click the ADD CONNECTION button. You will see the form for creating a new connection.
- Copy the Pre-shared key value.
- Copy the Room IP value.
- Copy the Room Subnet value.
Leave this browser tab open. You will return to it in step D to complete the creation of your new connection.
Note: Each time you generate a new connection with the ADD CONNECTION button, you generate a new pre-shared key value. If you accidentally close the new connection form you created here before completing the connection in step D but after creating your site-to-site VPN connection in step C, you will need to re-create your site-to-site VPN connection with the new pre-shared key value you will get on the new connection form, when you click the ADD CONNECTION button again.
Information gathered in this step:
- Your Multi-Path Room's new connection's pre-shared key.
- Your Multi-Path Room's Room IP.
- Your Multi-Path Room's Room subnet.
C) Create and Configure a Site-to-Site VPN Connection with Routing
This step creates and configures a Site-to-Site VPN Connection between your VCN and your Multi-Path Room.
Required information for this step:
- A meaningful name for your new site-to-site VPN connection.
- Your Multi-Path Room's Room IP, from step B.
- Your Multi-Path Room's Room subnet, from step B.
- Your Multi-Path Room's new connection's pre-shared key, from step B.
- Your VCN's subnet, from step A.
- Return to the OCI browser tab, where you left off in step A.
- Verify that your selected compartment is still the same compartment in which your VCN resides; see value from step A.
- Navigate to the Site-to-Site VPN Connections interface. Go to Networking → Customer Connectivity → Site-to-Site VPN.
- Click Start VPN Wizard.
- Navigate to Subnets & Security.
- Click Choose Subnets, and select the network(s) you wish to connect to your Tehama Room.
- Navigate to Site to Site VPN.
- Set Routing Type to be 'Static Routing'.
- In the field Routers to Your On-Premises Network, enter your Multi-Path Room's Room subnet, from step B.
- In the list of Shared Secret options, click on Provide Custom Shared Secret to select it.
- In the Shared Secret field, enter your Multi-Path Room's new connection's pre-shared key, from step B.
- Scroll down to the Customer Premises Equipment section..
- In the list of Customer-Premises Equipment (CPE) options, click on Create New to select it.
- In the field IP Address, enter your Multi-Path Room's Room IP, from step B
- In the Vendor field under CPE Vendor Information, select 'Other'.
- Go to Review and Create.
- Click on Create VPN Solution. You have now finished creating your new VPN with the wizard.
- Navigate to the Site-to-Site VPN Connections interface again.
- Click on the entry for your new VPN. You will see details of your VPN, including a list of tunnels.
- Select the 1st VPN tunnel from the list.
- Click Edit.
- Click on the Show Advanced Options link to open up the advanced options section.
- Fill out the following fields as shown:
- Oracle IKE initiation: Initiator or Responder
- NAT-T enabled: Enabled
- Enable dead peer detection timeout: Initiate and Respond
- Dead peer detection timeout in seconds: 20
- Expand the "Phase One (ISAKMP) Configuration" section.
- Fill out the following fields as shown:
- Set Custom Configurations: Checked place a checkmark in front of this text
- Custom Encryption Algorithm: AES_256_CBC
- Custom Authentication Algorithm: SHA2_256
- Custom Diffie-Hellman Group: Group14
- IKE session key lifetime in seconds: 28800
- Expand the "Phase Two (IPSec) Configuration" section.
- Fill out the following fields as shown:
- Set Custom Configurations: Checked place a checkmark in front of this text
- Custom Encryption Algorithm: AES_256_CBC
- Custom Authentication Algorithm: HMAC_SHA1_128
- IPSec session key lifetime in seconds: 5400
- Enable perfect forward secrecy: Checked place a checkmark in front of this text
- Perfect forward secrecy Diffie-Hellman group: Group14
- Click Save Changes. You will see the list of tunnels again.
- Copy the Oracle VPN IP Address from the entry for the 1st tunnel, to use as your VCN's public IP address in step D.
- Select the 2nd VPN tunnel from the list.
- Click Edit.
- Click on the Show Advanced Options link to open up the advanced options section.
- Fill out the following fields as shown:
- Oracle IKE initiation: Responder Only
- NAT-T enabled: Auto
- Enable dead peer detection timeout: Respond only
- Save your changes again. Your new OCI Site-to-Site VPN configuration is now complete.
Information gathered in this step:
- Your new site-to-site VPN connection's name.
- Your VCN's public IP address (the new site-to-site VPN connection's Oracle VPN IP Address, retrieved from its 1st tunnel).
D) Complete the Connection in Your Multi-Path Room
This step completes the creation of the new connection in your Multi-Path Room.
Required information for this step:
- Your VCN's subnet, from step A.
- Your VCN's public IP address (the new site-to-site VPN connection's Oracle VPN IP Address, retrieved from its 1st tunnel), from step C.
- A meaningful name for your new connection.
- A description for your new connection.
- Return to the Tehama browser tab, where you left off in step D. You should see the new connection form that you opened in that step.
Note: Each time you generate a new connection with the ADD CONNECTION button, you generate a new pre-shared key value. If you accidentally closed the new connection form you created in step D and need to do it again, you will need to re-create your site-to-site connection with the new pre-shared key value. - In the new connection form:
- Name - enter a meaningful name for your new connection.
- Description (optional) - enter a description for your new connection.
- Target Subnet - enter your OCI VCN subnet, from step A.
The form allows you to enter more than one target subnet. Click on + Add more to bring up additional target subnet fields. - Public IP Address - enter your VCN's public IP address (the Oracle VPN IP Address from the 1st tunnel in the new Site-to-Site VPN), from step C.
- Click CONNECT.
Information gathered in this step:
- The name of your new connection in your Multi-Path Room.
E) Update Firewall Rules/DNS Filtering
Finally, this last step is to update your Multi-Path Room's firewall rules, and optionally its DNS Filtering, to allow access to resources within your OCI VCN.
If you wish to completely open access to everything in your OCI VCN, add custom firewall rules to your Multi-Path Room allowing access to the entire subnet for your OCI VCN. Otherwise, add more granular rules.
See instructions on how to add firewall rules in section Add Custom Firewall Rule in the Firewall Rules User Guide.
You can optionally add an extra layer of access control on top of firewall rules through the Room's DNS Filtering feature. See the DNS Filtering guide for more details.
Check the Status of the Connection
Check the Status of the OCI VCN connection you set up between your OCI VCN and your Multi-Path Room.
Check connection status in Tehama
Required information:
- Your Tehama corporate portal login info.
- Your Multi-Path Room's name.
- The name of your new connection in your Multi-Path Room, from step F.
- Your VCN's public IP address (the new site-to-site VPN connection's Oracle VPN IP Address, retrieved from its 1st tunnels) from step C.
- Open a new browser tab.
- Log in to the Tehama Web UI.
- Click on the ROOMS tab.
- Click on the name of the Multi-Path Room that you connected to your OCI VCN. You will see the interface page for the Room.
- Click on the Room's CONNECTION tab, if you are not already on this tab.
- Find the connection in the connection table (identify by name, from step D, or by your VCN's public IP address value, which is set to the Oracle VPN IP Address of the 1st tunnel in the site-to-site VPN, from step C).
- Verify that the connection status is green.
Check connection status in OCI
Required information for this step:
- Your OCI account login info.
- Your VCN's compartment, from step A.
- Your Site-to-Site VPN Connection's name, from step C.
- Log in to your OCI account, in the Oracle Cloud Infrastructure Console (e.g.: U.S. region
https://www.oracle.com/cloud/sign-in.html
). - Select the compartment in which your VCN resides; see value from step A.
- Navigate to the Site-to-Site VPN Connections interface. Go to Networking → Customer Connectivity → Site-to-Site VPN.
- Select the new Site-to-Site VPN, by name, you created in step C. Look for the list of tunnels.
- Verify that everything is working:
- If everything is working, you’ll see that the IPSec Status for the 1st tunnel is set to Up.