Using a Raspberry Pi to connect to Oracle OCI IPSEC VPN

20. Januar 2021

Johannes Michler PROMATIS Horus Oracle

Senior Vice President – Head of Platforms & Development

I recently set up a new “E-Business Suite on OCI” environment for a customer. During the initial setup, the customer was not able to set up a Site-2-Site Tunnel between their on-premise Data Center and the Oracle Cloud Infrastructure Data Center in Frankfurt.

To make my initial setup and testing more convenient, I decided to set up a separate VPN tunnel to my own development network. I first tried libreswan on a Raspberry Pi. The following blog post shows the (surprisingly simple) basic setup.

Oracle Documentation and my Network Setup

There is a pretty good documentation of the procedure over there:
This serves as a good starting point, however some parts of this documentation – especially regarding NAT – is a bit confusing. Let’s see which steps have to be taken.
Basically I am running a Fritz!Box router connecting my private network to the internet. Currently the Fritz!Box has a public IP address of

Setup in OCI

I assume that there is already a Virtual Cloud Network in OCI, e.g. created through terraform automation, as described at
First of all, create a Customer-Premises Equipment on OCI:


You need to provide the public IP address on that screen.
Furthermore, you need to create a Dynamic Routing Gateway (DRG) and attach it to your VCN.
Finally, create a VPN Connection in OCI:

Create IPSec Connection_Raspberry

Here you need to activate the checkbox “This CPE is behind a NAT device” and enter the private IP address of the Raspberry Pi as the CPE IKE Identifier.
In addition, select your Dynamic Routing Gateway and a static routing of
After finishing, you receive two public IP addresses from Oracle as well as a PSK for each of the tunnel endpoints:

JM Test_Raspberry

Setup on the Raspberry

The setup on the Raspberry Pi is almost 100% as described in the Oracle documentation (do everything as the “root” user):

1. Install libreswan by issuing “apt-get install libreswan”

2. Edit /etc/sysctl.conf and add the following:

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0

3. Apply the change with sysctl -p.

4. Create /etc/ipsec.d/oci-ipsec.conf as follows (note the indentation):

Raspberry_SetUp_Oracle OCI IPSEC VPN

5. Create /etc/ipsec.d/oci-ipsec.secrets as follows (all in one line): PSK “xG17Dn2UsdfhsdfhHKJHKJSHsdfhgsdfhsdfHJKHkJ0KJS2l2Dkjfjdfg35dgfjy”

6. Restart ipsec using systemctl restart ipsec

7. Check the log files with journalctl | grep pluto. This should give something similar to:
Dec 28 14:33:12 raspberrypi pluto[1779]: “oracle-tunnel-1” #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_384 group=MODP1536}

8. Issue “ip link show” to verify the tunnel is up:
10: vti1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ipip peer

9. Add routing on the Raspberry Pi side:
ip route add nexthop dev vti1


The VPN Tunnel should be displayed as “up” in the OCI Console. If you have suitable Routing Rules on the OCI side to send to the Dynamic Routing Gateway and there are also no firewall rules “in the way”, you should be able to issue a ping in both directions or establish a SSH connection:

SSH connection_Raspberry