Da On-Prem -> OCI Journey when UR on a Budget -- aka Cheep Like Me - Part 1

 

Zip here,


Hey Cloud Boyz, my first blog as a Cloudder! Had another blog called ZippyDaDbaChimp...still around but crappo lost the creds to use it so here goes...consider this ‘Act II’ of that blog...ya know a sequel like all those damn marvel movies. Well so been awhile since I had a last entry. The pandemic is what I will blame versus my own procrastination. Damn Zebras gave it to me. Okay so I am becoming a cloud chimp. Been working on some certs for OCI and Google (got 5). Man, the Googles were tough made my skull pop – esp the Data Engineer one – -eeek!


Anyway, this entry is first in a series. Too much crap to put in one. So here goes part 1: Intro.

If anyone tells you that hooking up IPSEC to Oci is a breeze, they’re full of sh*t. So here is my take on it. Be willing to spend time on it. Oracle’s help is hit or miss and to be honest when it comes to synching up the on-prem to the OCI compute, they are scrambling and throwing they’re crap against the wall like I do at the zoo. Any way, its a jungle out there in the IPSEC world and what I found out is it takes a lot of trial and error. I just love the guy who has a you tube on the setup and just breezes through. What you don’t get is all the pre-work setup they fly over which is the real work. Devil is in the details. So, my charge here is to give you ALL of it from stem-to-stern. Step by Step. If you can’t follow it then swing on your own vine – just trying to help.


What you will need:


1> Get a cloud account. It’s cheap for this setup (less than 25.00 month).

2> get virtualbox – I set up two Vms for mine.

3> get a download of pfsense – yeah you will see that Oracle does not support it in the CPE setup they give you (that’s the Customer Side Equipment you will connect to in the OCI configuring) but there is a pretty good (albeit incomplete document from Oracle on using it – they leave out the glue that makes it work – typical).


Once you have these three, you are ready to proceed.


Before I jump in, let’s get an idea what the set up is here.




Ok so let’s break it down.


My Side:


1> Got a physical that is connected to the internet via ISP. Get your public ip address for your IPS endpoint using the website whatismyip.com. There usually is ONE endpoint and then that is input into a NAT and translated to your local WAN (e.g. 192.168.1.x). This is how you ‘get out and in’ from your physical to the internet. You will need this IP address for setting up the CPE artifact in your cloud configuration in OCI (more on that later). So...do it now ya monkey.


2> Within that physical I have a virtual box for pfsense. This is the virtual router where the IPSEC will be configured. Might as well get the binary now too...so get it: https://www.pfsense.org/download/. Configure the prompt box like so:

 


The IP for this box is actually TWO: one for the WAN subnet (192.168.1.x) and the other for the private internal network (e.g. 192.168.2.0/24). Anyway, we will get to that later so hang out (on a limb). Pfsense will act as the router (firewall) for the traffic between itself,the OCI ipsec tunnel endpoints and the internal networked db server VM.


So the goal is to make the connection between the local LAN network to the WAN through the IPSEC tunnel (both sides: pfsense and OCI) to the OCI compute.


This will simulate an on-prem environment at any scale so its a good lab for any zoo out there.


Well, that ends the first take on the IPSEC connection….more to come…


Stay Tuned.



Comments

Post a Comment

Popular posts from this blog

DA On-Prem -> OCI Journey when UR on a Budget --aka Cheep like Me - Part 4 - Config Da Oracle Vbox

Image
  Part 4 : The VirtualBox Setup: The DBServer Vbox T his is Vbox is key to the final section dealing with the PFSense configuration. Note that this Vbox will be on the same internal subnet (192.168.2) CIDR range as the PFSense Box. So you will be able to access the configuration console of the PFSensee box from it. If you want o add additional boxes for different purposes, go ahead. Just remember resources, subnet and ability to reach the internet via this PFSense router Vbox for software, etc. So anyway. Let’s get to it. Here is the configuration – highlighted entries are what you need to configure:     Ok so to summarize Ya need to: 1> use an Oracle Linux 64-bit version (I used 8.5 – but as long as compatible with any db binary. Ur good. 2> Base memory 2gb and all the acceleration stuff as noted above (ur jus checking boxes so don’t forget. 3> You binary Iso (ya got to download this to ur host server)...
Read more

DA On-Prem -> OCI Journey when UR on a Budget --aka Cheep like Me - Part 5 - Plumbing another Tunnel

Image
  Part 5: Da Last Tunnel I said last time I was missing a tunnel...Ok so let’s put one there. This isn’t too bad really. A lot of the pre-work and config is there. Let’s see the stuff already there: On the Cloud:          So, two tunnels were constructed in OCI but onlyone configured. Note that all the ingress/egress rules still apply and do not required any modifications on the cloud. For example: On the PFSense router (Vbox): WAN (outward facing): Nothing more needed….Just have it opened from ANY machine on the OCI VCN subnet to the endpoint for the PFSense router in the outfacing subnet. LAN (Internal Subnet): These rules will work fine. Remember the DRG thatis attached to the VCN and also roues to the tunnels has everything it needs configured.     IPSEC: Again...no changes:     ...
Read more

DA On-Prem -> OCI Journey when UR on a Budget --aka Cheep like Me - Part 4 - The Secret Sauce: PFsense Config

Image
  Part5: Da PFSense Configuration. Ok now that you have the pfsense and the Oracle Linux Vboxes on the same subnet. You should be able to pull up the PFSense dashboard on the Oracle Linux Machine’s browser. Note that the ip address is 192.168.2.1. So let’s just take a look at the Dashboard first: A few things to note here: 1> the Oracle Linux Box is reported to be @ 192.168.2.77 – which is the IP address assigned to it when the Oracle Linux Box was created. 2> the Interface are the same as assigned on the pfsense (WAN,LAN and OPT1) Note the subnet differences between the WAN and the others. So you can see that the pFSense can get to both the outside and inside internal network. Again, this emulates an on-prem datacenter. Before we go through the configuration, lets look at the final result first. So from the dashboard above, go to the top menu bar and select Status → IPSEC. As below:    ...
Read more