Skip to content

HOWTO: Commission a Site-to-Site VPN Tunnel

Purpose: Bring up an IPsec site-to-site VPN tunnel, validate the encrypted path, and confirm routing with structured run records.

Difficulty: Intermediate

Track: Networking Foundations

Overview

Use this guide when a HybridOps lane needs encrypted transport between sites. The outcome is a tunnel that is not just configured, but proven: security associations are established, traffic passes across the path, and the routing state reflects the intended design.

1. Prerequisites

  • Both tunnel endpoints reachable via public IP.
  • PSK or certificate credentials prepared in the secrets manager.
  • Routing policy defined for traffic to send over the tunnel.

2. IKE Phase 1 Configuration

  • HybridOps standard cipher and DH group selection.
  • Authentication method: PSK vs certificates.
  • Lifetime and rekeying parameters.

3. IKE Phase 2 / ESP Configuration

  • ESP transform selection.
  • Traffic selector (interesting traffic) definition.
  • PFS group configuration.

4. Tunnel Bring-Up Validation

  • SA establishment confirmation.
  • Bidirectional traffic test.
  • DPD keepalive confirmation.

5. Routing Over the Tunnel

  • Static route or BGP advertisement over the tunnel.
  • Route verification on both peers.
  • End-to-end path probe from behind each endpoint.

6. Run-record capture

  • SA state and tunnel statistics.
  • Path probe output.
  • Storing under <runtime-root>/logs/networking/vpn-tunnels/.

References

License: MIT-0 for code, CC-BY-4.0 for documentation unless otherwise stated.