HOWTO: Commission a Site-to-Site VPN Tunnel¶
Site-to-site IPsec tunnels are the encrypted underlay for all HybridOps inter-site traffic — on-prem to Hetzner, on-prem to GCP, and DR path segments. This HOWTO covers commissioning a VPN tunnel from scratch: IKE policy and ESP transform selection, peer authentication with pre-shared keys or certificates, tunnel bring-up validation, DPD health monitoring, and routing traffic over the tunnel. The result is a validated tunnel with a structured run record that the edge blueprint references.
What this covers:
- IKE phase 1 and phase 2 configuration with HybridOps-standard cipher and DH group selections
- Tunnel bring-up validation: SA establishment, traffic test, and DPD keepalive confirmation
- Routing configuration over the tunnel and end-to-end path probe records