Back when I was supposed to connect our office to the new parent companies network via IPSec, I spent actual, full days on the phone with both the parent companies IT and our firewall vendor, until eventually we confirmed that some PFS variations are broken in one of the device, but others are not. And it's probably not economically feasible to fix. Debugging that involved going entirely nuts with wireshark, learning the IPSec spec to understand the phases going on, and so on, and so on. It's one of those projects that eventually make me question my very own skills.
With wireguard for our production datacenter site to site connections... it took about 2 days to have a fully automated installation and key management setup in ansible. About half a day was spent figuring out that our cloud provider filtered traffic not coming from the IP of a VM by default. And then everything just worked. And it's an easily extended mesh between datacenters. And wireguard even has usable logging about traffic.
But yes, the lesson is: IPSec without having endpoints from the same vendor with a vendor guarantee they will work together is absolute pain. It either works securely within the first few hours, or probably never. Yes I've been touched in a bad place by IPSec.
Back when I was supposed to connect our office to the new parent companies network via IPSec, I spent actual, full days on the phone with both the parent companies IT and our firewall vendor, until eventually we confirmed that some PFS variations are broken in one of the device, but others are not. And it's probably not economically feasible to fix. Debugging that involved going entirely nuts with wireshark, learning the IPSec spec to understand the phases going on, and so on, and so on. It's one of those projects that eventually make me question my very own skills.
With wireguard for our production datacenter site to site connections... it took about 2 days to have a fully automated installation and key management setup in ansible. About half a day was spent figuring out that our cloud provider filtered traffic not coming from the IP of a VM by default. And then everything just worked. And it's an easily extended mesh between datacenters. And wireguard even has usable logging about traffic.
But yes, the lesson is: IPSec without having endpoints from the same vendor with a vendor guarantee they will work together is absolute pain. It either works securely within the first few hours, or probably never. Yes I've been touched in a bad place by IPSec.