Full-Mesh IPsec Network: 10 Dos and 500 Don'ts

How do you secure your internal network when your servers are located in different continents/providers and you don't trust or even manage your network?

IPSec is a great way to secure a network but it's usually deployed as a way of connecting a small group of trusted networks, and both the tools and existing documentation reflect this. This is not really an option in some environments where you don't really control the network and want to interoperate across different providers, so you find yourself sailing through uncharted waters at times when trying to build a fully meshed network with IPSec, where each server can establish a secure connection to any other server in its cluster.

In this talk we'll explore our journey from idea to full deployment in production, while focusing in all the mistakes we made along the way and all the deficiencies that we've found in terms of tooling and documentation. After the talk you should have a better understanding of how IPSec can be useful to you, and a bunch of things you should avoid when considering implementing it (because trust me, they don't work).

Currently the SRE team lead at Hosted Graphite, Fran has previously been mostly responsible for causing (and occasionally preventing) outages in varied fields such as advertising, online gaming and sports betting. Do not ask him about chatops.