IPSec VPN Setup for provides a secure, encrypted connection between your on-premise systems and Bizdata Cloud services, (eZintegrations and Goldfinch AI) using an Oracle Cloud IPSec VPN to on-premises setup. It includes IPSec concepts, tunnel parameters, architecture data flow, an Excel form for customer input, key exchange guidance, and details about testing and monitoring.

What is an IPSec Tunnel

IPSec (Internet Protocol Security) is a suite of protocols that secure IP communications by authenticating and encrypting each IP packet. An IPSec Tunnel is a secure virtual link between two endpoints, commonly used to connect corporate networks and cloud environments. Learn more about IPSec

What is Peer-to-Peer Tunnelling

Peer-to-Peer (P2P) tunnelling describes a direct, encrypted connection between two gateways without involving third-party relays. It provides direct routing, reduced latency, and improved security posture for enterprise data flows.

1. Pre-requisites

• List of on-prem firewall/VPN gateway (e.g., Cisco, Palo Alto, FortiGate, Oracle VPN CPE)
• Public static IP for on-prem firewall WAN interface
• Network details (internal CIDRs) for systems that will communicate with Bizdata Cloud
• A technical contact person for configuration and maintenance window for testing.

 

2. High-level IPSec VPN Setup Step

Gather network and device details.

• Fill and submit the IPSec Setup Excel form to Bizdata network Team.
• Exchange IPs and security parameters securely (PSK or Certificates).
• Configure IPSec tunnel on Oracle Cloud (DRG/VCN) and on-prem firewall.
• Perform connectivity and application tests.
• Enable monitoring and schedule periodic reviews.

3. Detailed IPSec VPN setup Guide

Step 1 — Identify On-Premises Endpoints and Systems

• List application servers, databases, file shares, and other systems to be accessed by Bizdata services.
• Note down internal IP addresses and CIDR ranges (example: 192.X.X.X).
• Identify ports & protocols required (e.g., HTTPS 443, SFTP 22, database ports 3306, 1521, custom API ports).

Step 2 — Complete the IPSec VPN Setup Excel Form

Fill out the ‘IPSec_Setup_Form.xlsx’ (attached) with accurate WAN IPs, CIDRs, device model, and contact details.
Mark a preferred maintenance window and requested go-live date.

Step 3 — Exchange Security Parameters

• Decide whether to use Pre-Shared Key (PSK) or Certificate-based authentication.
• Bizdata will provide a remote gateway IP, remote identifier, and recommended IKE/IPSec parameters.
• Share your public IP and local identifier with Bizdata using an encrypted channel.

Recommended IPSec Parameter

IKE Version: IKEv2

IKEv2 is the modern IPSec key-exchange protocol that delivers faster negotiation, stronger security, and stable tunnel recovery during network changes. It’s the default choice for enterprise-grade VPN setups.

 

Encryption: AES-256-GCM

AES-256-GCM is a high-assurance encryption mode that delivers strong data confidentiality with built-in integrity checks, reducing overhead and accelerating IPSec performance.

 

Integrity / Hash: SHA-256

SHA-256 provides solid integrity validation, ensuring packets aren’t tampered with and keeping the IPSec tunnel compliant and trustworthy.

 

Diffie-Hellman Group: 14 (or 19/21 if required)

Diffie-Hellman Group defines the strength of the key-exchange math. Higher groups = stronger cryptographic resilience and tougher-to-break session keys for the IPSec tunnel.

• Lifetime: 28800 seconds (Phase 2) / 28800 seconds (Phase 1) — adjust per device recommendation
• Mode: Tunnel Mode
• PFS: Enable (same DH group)

4. Configure Oracle Cloud (VCN/DRG) Side

• Create or use an existing VCN and attach a DRG (Dynamic Routing Gateway) for IPSec attachments.
• Create an IPSec connection in Oracle Console linking the DRG and the Customer-Premise Equipment (CPE) definition.
• Provide the resulting Oracle public endpoint and pre-shared key (if used) to on-prem team.

5. Configure On-Prem Firewall/Gateway

• On client firewall (e.g., Cisco ASA, Palo Alto, FortiGate), configure an IPSec tunnel with the values provided by Bizdata:
• Remote peer (Bizdata/Oracle public IP)
  – pre-shared key or certificate
  – Encryption & hashing algorithms
  – Local/remote subnets allowed over the tunnel
  Apply NAT rules if necessary and ensure no local port conflicts.

6.  Routing and Access Controls

• Add static routes or BGP (if configured) so traffic to Bizdata subnets traverses the IPSec tunnel.
• Update firewall rules to permit required traffic between specified internal hosts and Bizdata Cloud endpoints.
• Configure security lists or network security groups on the Oracle side to allow traffic from your CIDRs.

7. Test Connectivity

• From a permitted on-prem host, test:
  – ping (ICMP) to Bizdata Cloud internal endpoint (if allowed)
  – traceroute “192.X.X.X “

-telnet “192.X.X.X: XXXX “

-mtr “192.X.X.X “

Check tunnel status on both ends and confirm SAs (Security Associations) are established.

8. Monitoring and Alerting

• Monitor IP sec status through OCI dashboard.
• Set alerts for tunnel down, high latency, or packet drops.

IPSec VPN Setup: Keys and Credentials Explained

• During setup, the following items are exchanged:
• Public IP Addresses of both gateways
• Pre-Shared Key (PSK) OR Certificate public keys
• Local and Remote Identifiers
• Network CIDRs to allow through the tunnel

Purpose:

• Authenticate the endpoints
• Ensure confidentiality and integrity of data
• Prevent unauthorized access or man-in-the-middle attacks

9. Troubleshooting Checklist

• Verify public IPs and PSK values match both ends.
• Confirm IKE and IPSec policies match (encryption, hashing, DH group).
• Check for overlapping subnets and NAT issues.
• Validate routing entries (static routes or BGP).
• Review firewall rules and security lists/NSGs.

FAQ

1. What is an IPSec VPN Setup for eZintegrations?

It is a secure, encrypted tunnel that connects your on-premise systems to Bizdata Cloud, enabling safe access for eZintegrations and Goldfinch AI while ensuring data confidentiality and integrity.

2. What are the key benefits of using an IPSec VPN?

Benefits include a direct encrypted connection, reduced latency, improved network performance, and secure access to enterprise applications, APIs, and databases.

3. How does IPSec VPN ensure data security?

All traffic is encrypted using AES-256-GCM and authenticated with SHA-256, while IKEv2 ensures stable key negotiation and tunnel recovery.

4. Can IPSec VPN handle large-scale operations?

Yes. It is scalable and can handle multiple endpoints, applications, and large volumes of data flows.

5. What pre-requisites are needed to set up an IPSec VPN?

You need an on-prem firewall/VPN gateway, a public static IP, network CIDRs for connected systems, and a technical contact for setup and maintenance.

6. How is the IPSec VPN configured?

Configuration involves gathering network details, completing an IPSec setup form, exchanging security parameters, configuring Oracle Cloud and on-prem firewalls, setting routing rules, testing connectivity, and monitoring the tunnel.

7. What security parameters are recommended for IPSec VPN?

Recommended settings include IKEv2, AES-256-GCM encryption, SHA-256 hash, Diffie-Hellman Group 14 or higher, tunnel mode, PFS enabled, and a lifetime of 28800 seconds for both Phase 1 & 2.

8. What keys and credentials need to be exchanged?

You need to exchange public IPs, pre-shared keys or certificates, local and remote identifiers, and allowed CIDRs to authenticate endpoints and maintain confidentiality.

9. How can issues with IPSec VPN be troubleshooted?

Verify matching IPs and PSKs, confirm encryption and hashing settings, check for overlapping subnets or NAT issues, and validate routing entries and firewall rules.