VPN tunnels and IPsec

1) Why IPsec and when it is appropriate

• Site-to-Site: on-prem ↔ cloud, cloud ↔ cloud, DC ↔ DC.
• Client VPN: admin access, jump-host, break-glass.
• Backhaul/Transit: хабы и spoke-VPC/VNet (hub-and-spoke).
• IPsec is appropriate when you need a standard, interoperable stack, hardware acceleration (AES-NI/DPDK/ASIC), strict crypto policies, and network hardware compatibility.

2) Basic concepts (fast digest)

IKEv2 (Phase 1) - parameter negotiation/authentication (RSA/ECDSA/PSK), creation of IKE SA.
IPsec ESP (Phase 2) - traffic encryption, Child SA (SA for specific prefixes/interfaces).
PFS - ephemerality (Diffie-Hellman group) for each Child SA.
NAT-T (UDP/4500) - ESP encapsulation if there is NAT along the way.
DPD - Dead Peer Detection, a replacement for a broken SA.
Rekey/Reauth - updating keys before expiration (lifetime/bytes).

• IKE: 'AES-256-GCM' or 'AES-256-CBC + SHA-256', DH 'group 14/19/20' (2048-bit MODP or ECP).
• ESP: 'AES-GCM-256' (AEAD), PFS by the same groups.
• Lifetimes: IKE 8-24 h, Child 30-60 min or by traffic volume (for example, 1-4 GB).

3) Topologies and tunnel types

3. 1 Route-based (preferred)

Virtual interface (VTI) on each side; routes/dynamic protocols (BGP/OSPF) carry prefixes. Easier to scale and segment, better for overlapping CIDR (with NAT policies).

3. 2 Policy-based

Lists "istochnik↔naznacheniye" in SA. Suitable for simple S2S without dynamic routing; is more complex with multiple prefixes.

3. 3 GRE-over-IPsec / VXLAN-over-IPsec

Encapsulation L3/L2 on top of the encrypted channel: multiprotocol, convenient for BGP (carry keepalive) and for cases where multicast/ECMP is needed in underlay.

4) Segmentation, routing and fault tolerance

BGP over VTI/GRE: prefix exchange, MED/LocalPref/communities for priorities, max-prefix protection.
ECMP/Active-Active: pair of tunnels in parallel (different providers/POP).
Active-Passive: redundant tunnel with higher AD/LocalPref, DPD speeds up switching.
Split-tunnel: corporate prefixes via VPN only; Internet - locally (reduction of delays/cost).
Overlapping CIDR: NAT policies at the edges or proxy subnets, if possible - address redesign.

5) MTU, MSS and performance

IPsec/NAT-T overhead: − ~ 60-80 bytes per packet. Set MTU 1436-1460 for VTI/tunnels.
MSS-clamp: for TCP, set 'MSS = 1350-1380' (depends on underlay) to eliminate fragmentation.

Enable PMTUD and log ICMP "Fragmentation Needed."

Hardware offload/fast-path (DPDK, AES-NI, ASIC) significantly reduces CPU load.

6) Key reliability and security

PFS is mandatory; Rekey before 70-80% lifetime expires.
Authentication: if possible, ECDSA certificates from corporate CA (or cloud-CA), PSK - only temporarily and with high entropy.
CRL/OCSP or short certificate validity period.
Authentication and alert logs for repeated failed IKEs.

7) Clouds and features of providers

AWS: AWS Managed VPN (policy-based/route-based), TGW (Transit Gateway), VGW/CGW. For performance/scale - Direct Connect + IPsec as a backup.
GCP: Cloud VPN (Classic/HA), Cloud Router (BGP); для throughput — Interconnect.
Azure: VPN Gateway (Policy/Route-based), VNet-to-VNet, ExpressRoute for L2/L3 privacy.
Private Endpoints/Privatelink: it is better to traffic to PaaS through private interfaces instead of NAT egress.

8) Kubernetes and service mesh

Nodes K8s inside private networks; Pod CIDR should not "crawl out" to remote sites - route Node CIDR and proxy services through ingress/egress gateways.
Istio/Linkerd mTLS over IPsec - separate trust domains.
Egress control: prohibition of direct access from pod to the Internet (NetworkPolicy), permission - for VTI/VPN.

9) Monitoring and logs

Tunnel-SLA: latency, jitter, packet loss, up/down SA state.
BGP: neighbors, prefixes, flap counters.
IKE/ESP logs: authentication, rekey, DPD events.
Export to Prometheus (via snmp_exporter/telegraf), alerts to churn SA and RTT/PLR degradation.
Trace/application logs mark 'site = onprem' cloud ',' vpn = tunnel-X 'for correlation.

10) Trableshooting (checklist)

1. Firewalls: allowed UDP/500, UDP/4500, protocol 50 (ESP) along the path (or only 4500 with NAT-T).
2. Clock/NTP is synchronous - otherwise IKE drops due to timings/certificates.
3. IKE/ESP parameters are the same: ciphers, DH, lifetimes, selectors.
4. NAT-T is enabled if NAT is present.
5. DPD and rekey: not too aggressive, but not lazy (DPD 10-15s, rekey ~ 70% lifetime).

6. MTU/MSS: pinch MSS, check ICMP "need fragmentation."

7. BGP: filters/communities/AS-path, is there a "blackhole" due to wrong next-hop.
8. Logies: IKE SA established? Child SA created? Is the SPI changing? Are there any replay errors?

11) Configs (references, shortened)

11. 1 strongSwan (route-based VTI + IKEv2)

ini
/etc/ipsec. conf conn s2s keyexchange=ikev2 auto=start left=%defaultroute leftid=@onprem. example leftsubnet=0. 0. 0. 0/0 leftauth=pubkey leftcert=onprem. crt right=203. 0. 113. 10 rightid=@cloud. example rightsubnet=0. 0. 0. 0/0 rightauth=pubkey ike=aes256gcm16-prfsha256-ecp256!
esp=aes256gcm16-ecp256!
dpdaction=restart dpddelay=15s ikelifetime=12h lifetime=45m installpolicy=no      # route-based через VTI

bash ip tunnel add vti0 local 198. 51. 100. 10 remote 203. 0. 113. 10 mode vti ip link set vti0 up mtu 1436 ip addr add 169. 254. 10. 1/30 dev vti0 ip route add 10. 20. 0. 0/16 dev vti0

11. 2 VyOS (BGP over VTI, MSS clamp)

bash set interfaces vti vti0 address '169. 254. 10. 1/30'
set interfaces vti vti0 mtu '1436'
set protocols bgp 65010 neighbor 169. 254. 10. 2 remote-as '65020'
set protocols bgp 65010 neighbor 169. 254. 10. 2 timers holdtime '9'
set firewall options mss-clamp interface-type 'all'
set firewall options mss-clamp mss '1360'

11. 3 Cisco IOS (IKEv2/IPsec profile)

cisco crypto ikev2 proposal P1 encryption aes-gcm-256 integrity null group 19
!
crypto ikev2 policy P1 proposal P1
!
crypto ikev2 keyring KR peer CLOUD address 203. 0. 113. 10 pre-shared-key very-long-psk
!
crypto ikev2 profile IKEV2-PROF match address local 198. 51. 100. 10 authentication local pre-share authentication remote pre-share keyring local KR
!
crypto ipsec transform-set ESP-GCM esp-gcm 256 mode transport
!
crypto ipsec profile IPSEC-PROF set transform-set ESP-GCM set ikev2-profile IKEV2-PROF
!
interface Tunnel10 ip address 169. 254. 10. 1 255. 255. 255. 252 tunnel source 198. 51. 100. 10 tunnel destination 203. 0. 113. 10 tunnel protection ipsec profile IPSEC-PROF ip tcp adjust-mss 1360

12) Policies and Compliance

Crypto profiles and lists of allowed ciphers are centralized (security baseline).
Key/cert rotation with reminders and automation.
IKE/IPsec audit logs in immutable storage (WORM/Object Lock).
Segmentation: VRF/VR domains for prod/stage/dev and card outline (PCI DSS).

13) Specifics of iGaming/Finance

Data residency: traffic with PII/payment events goes over IPsec only within the permitted jurisdictions (routing by VRF/tags).
PSP/KYC: if access is given by private connectivity - use; otherwise - egress proxy with mTLS/HMAC, allowlist FQDN.
Transaction logs: parallel recording (on-prem and in the cloud) via IPsec/Privatelink; immutable logs.
SLO "money paths": separate tunnels/routes with priority and increased monitoring.

14) Antipatterns

PSK forever, one "generic" secret phrase.
Policy-based with many prefixes - "hell of admins" (better than VTI + BGP).

Ignoring MTU/MSS → fragmentation, hidden timeouts, 3xx/5xx "for no reason."

One tunnel with no reserve; one provider.
No NTP/clock-sync → spontaneous IKE drops.
"Default" ciphers (legacy groups/MD5/SHA1).
No alerts on flap SA/BGP and RTT/PLR growth.

15) Prod Readiness Checklist

• IKEv2 + AES-GCM + PFS (14/19/20 group), negotiated lifetimes, rekey ~ 70%.
• VTI/GRE, BGP with/communities, ECMP, or hot-standby filters.
• NAT-T enabled (if necessary), UDP/500/4500 open, ESP on path.
• MTU 1436-1460, MSS clamp 1350-1380, PMTUD active.
• DPD 10-15s, Dead Peer reaction and quick SA reinstallation.
• SA/BGP/RTT/PLR monitoring; IKE/ESP logs in centralized collection.
• Auto-rotation of serts/keys, short TTL, OCSP/CRL, alerts.
• Segmentation (VRF), split-tunnel, egress deny-by-default policy.
• Cloud gateways (AWS/GCP/Azure) tested under real load.
• Documented runbook and file player and channel extensions.

16) TL; DR

Build route-based IPsec (VTI/GRE) with IKEv2 + AES-GCM + PFS, dynamic BGP routing, dual independent link redundancy, and correct MTU/MSS. Enable NAT-T, DPD and regular rekey, monitor SA/BGP/RTT/PLR, store authentication logs. In the clouds, use managed gateways and PrivateLink; in Kubernetes - do not "carry" Pod CIDR via VPN. For iGaming, keep jurisdictions and the payment circuit isolated, with tightened SLOs and audits.