In modern distributed architectures, secure network peering is essential for connecting data centers, cloud VPCs, and branch sites. IKEv2 (Internet Key Exchange version 2) combined with IPsec provides a robust, standards-based mechanism for establishing secure site-to-site VPNs that deliver high security, resilience, and performance. This article walks through a practical quick setup for IKEv2-based network peering and dives into best practices, tuning tips, and common operational considerations for sysadmins, network engineers, and developers.

Why choose IKEv2 for network peering?

IKEv2 has become the preferred key exchange protocol for IPsec due to several inherent advantages:

  • Improved reliability — IKEv2 supports built-in session rekeying, Dead Peer Detection (DPD), and MOBIKE for multihoming and mobility.
  • Simpler state machine — Fewer exchange messages and clearer state transitions than IKEv1 reduce implementation complexity and bug surface.
  • Performance — Support for modern crypto (AES-GCM, ChaCha20-Poly1305), ECDH curves, and better rekey behavior improves throughput and latency characteristics.
  • Scalability — IKEv2 is well suited to both point-to-point (site-to-site) and dynamic remote access use cases, enabling consistent operational models.

High-level architecture for site-to-site peering

A typical IKEv2 peering deployment will include:

  • Two endpoint gateways (virtual routers, physical routers, or software gateways like strongSwan, libreswan, VyOS, Cisco/Juniper devices).
  • IPsec tunnel(s) protecting traffic between chosen subnets or prefixes (policy-based or route-based).
  • Network and firewall rules allowing IKE (UDP 500) and NAT-T (UDP 4500) between peers.
  • Monitoring and logging for SA states, throughput, and health checks (SNMP, syslog, IPsec status outputs).

Routing models

Two common routing models are used:

  • Policy-based (static selectors) — Define local/remote selectors (e.g., 10.0.0.0/24 ⇄ 192.168.0.0/24). Simple and predictable.
  • Route-based (tunnel interfaces) — Create tunnel interface (e.g., ipsec0) and run dynamic routing (BGP/OSPF) over the tunnel. Preferred for cloud peering and multi-prefix scenarios.

Quick setup example using strongSwan (Linux)

The following concise example assumes two Linux-based gateways (GW-A and GW-B) running strongSwan. It demonstrates a route-based IKEv2/IPsec tunnel with certificate authentication and BGP over the tunnel for prefix exchange.

Prerequisites

  • strongSwan installed (package name typically strongswan).
  • Certificates for both gateways (or use a CA you control). Using certificates avoids PSK limitations for multi-peer and scaling.
  • Appropriate firewall rules allowing UDP/500 and UDP/4500 and IP forwarding enabled.

Minimal ip forwarding and firewall rules

On both gateways:

  • Enable IPv4 forwarding: sysctl -w net.ipv4.ip_forward=1 (persist in /etc/sysctl.conf).
  • Open UDP 500 and 4500 in firewall/NACL and allow ESP (protocol 50) if NAT-T is not used.

strongSwan configuration (ipsec.conf)

Example /etc/ipsec.conf for route-based IKEv2:

config setup
charondebug="ike 2, knl 2, cfg 2"

conn %default
keyexchange=ikev2
ike=aes256gcm16-prfsha256-ecp521
esp=aes256gcm16
dpdaction=restart
dpddelay=30s
rekey=yes
leftcert=gw-a-cert.pem
leftsendcert=always
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=0.0.0.0/0
keyingtries=%forever

conn gw-a-to-gw-b
left=203.0.113.10 # GW-A public IP
right=198.51.100.20 # GW-B public IP
leftid=@gw-a.example.com
rightid=@gw-b.example.com
auto=start
type=tunnel

Notes:

  • The above uses AES-GCM and ECDH curve ecp521 as a conservative example; adjust curve and cipher combinations based on device support and performance needs.
  • The left/rightsubnet set to 0.0.0.0/0 is used here for route-based behavior with virtual interfaces — in production, prefer explicit subnets or create vti interfaces with specific routes.

Secrets and certificates

Place private keys and certs into /etc/ipsec.d/private and /etc/ipsec.d/certs and reference them in leftcert/rightcert. For PSK-based auth, add in /etc/ipsec.secrets but note PSKs do not scale and are less secure.

Bring up the tunnel and verify

  • Start strongSwan: systemctl enable --now strongswan
  • Check status: ipsec statusall or sudo swanctl --list-sas
  • Verify IKE and Child SA lifetimes, negotiated ciphers, and established tunnels in logs (/var/log/syslog or journald).

IKEv2 / IPsec parameter recommendations

Choosing the right crypto and SA parameters is crucial for security and performance. Here are recommendations:

  • IKE proposal (IKE SA): AES-GCM-16 (AES-128-GCM or AES-256-GCM) or ChaCha20-Poly1305 with SHA2 PRF. Avoid legacy 3DES and weak hashes like MD5.
  • ESP proposal (Child SA): AES-GCM or AES-CBC+SHA2 with AES-GCM preferred for authenticated encryption.
  • DH groups / ECDH curves: Use ECDHE groups (e.g., X25519, secp384r1, or secp521r1 depending on device support). For modular DH use group 19/20/21 (256/384/521-bit) or 31/32 for robust security.
  • SA lifetimes: IKE SA lifetime 8–24 hours; Child SA lifetime 1–8 hours depending on rekey impact and traffic patterns. Shorter lifetimes reduce exposure but increase CPU load for rekeys.
  • PFS: Enable Perfect Forward Secrecy (PFS) for Child SAs — choose appropriate DH group consistent with initial IKE selection.

Troubleshooting and NAT traversal

Common issues and mitigations:

  • NAT and UDP encapsulation: IKEv2 supports NAT-T and will switch to UDP/4500 for encapsulated ESP. Ensure firewall allows UDP/4500 and that NAT devices preserve endpoint port translations.
  • MTU and fragmentation: IPsec adds overhead. Configure MTU and MSS clamping on edge routers or tunnel interfaces (e.g., set MTU 1400 or use iptables TCPMSS clamp to avoid PMTUD issues).
  • Asymmetric routing: Ensure symmetric return path to avoid dropped ESP packets. Use policy-based routing or static routes to steer reply traffic via the correct tunnel interface.
  • DPD/Keepalive: Configure DPD to detect dead peers and trigger failover or rekey behavior. Some devices prefer periodic ICMP or custom monitoring probes.
  • Logs: Increase IKE/IPsec logging level temporarily to capture negotiation failures (e.g., strongSwan charondebug). Look for proposals mismatch, authentication errors, or NAT/port issues.

Operational best practices

Authentication and key management

Prefer certificates over PSKs for production peering due to easier lifecycle management and support for multiple peers. Use a private PKI or an automated CA (e.g., Vault PKI) to issue and rotate device certs. For large fleets, automate certificate enrollment (SCEP/EST/ACME where applicable).

Redundancy and high availability

Implement HA using active/standby pairs and dynamic routing (BGP) over IKEv2 tunnels. Use multiple tunnels to different physical locations and employ BFD or fast failover timers to reduce routing convergence time.

Monitoring and alerting

  • Track SA counts, rekey rates, and throughput. Sudden rekey storms or frequent SA churn can indicate misconfiguration or aggressors.
  • Instrument J-Flow/sFlow or netflow exports behind the tunnel to observe application behavior across peers.

Performance tuning

Offload crypto to hardware where possible (AES-NI, dedicated crypto accelerators). Tune IKE and ESP SA lifetimes to balance CPU usage and security. Consider using AES-GCM and modern curves for better CPU efficiency, or ChaCha20 on devices lacking AES acceleration.

Security hardening checklist

  • Disable weak ciphers and legacy negotiation modes.
  • Restrict IKE proposals to only trusted peers via explicit IDs and ACLs.
  • Use firewall rules to limit management and IKE endpoints to known addresses.
  • Implement certificate revocation checks where possible, and plan for emergency revocation procedures.
  • Audit logs regularly for anomalous SA attempts or repeated authentication failures.

When to use route-based vs. policy-based tunnels

Choose route-based tunnels when you need:

  • Dynamic routing (BGP/OSPF) between peers for many prefixes and automatic failover.
  • Multi-tenant or cloud VPC scenarios where routing control is essential.

Choose policy-based tunnels for:

  • Simple, small-scale site-to-site links with a few specific subnet selectors.
  • Devices that lack robust tunnel interface support but do support IPsec selectors.

Example of running BGP over the IPsec tunnel

Once the tunnel interface is up, run a BGP session between the two gateways to exchange prefixes. On Linux, create a vti (virtual tunnel interface) or use a specific tunnel routing interface, then configure a BGP daemon (e.g., FRR or Bird) to peer across the tunnel. Ensure keepalives and MD5/TTL security settings for BGP are used according to your risk model.

Conclusion

IKEv2 with IPsec offers a secure, flexible, and performant foundation for network peering between data centers, cloud environments, and branch sites. By using certificates, modern ciphers, route-based designs for dynamic routing, and proper operational practices (monitoring, HA, and certificate lifecycle management), organizations can build peering links that are resilient and easy to manage. Careful attention to MTU, NAT traversal, and SA lifetimes will reduce operational friction and improve throughput.

For more detailed guides, configuration snippets for specific vendors, and managed IP addressing advice, visit Dedicated-IP-VPN at https://dedicated-ip-vpn.com/.