diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml
index 2bb1fdad5e80f97949d8c8f9b08263826714cc95..48e2544747247096e69a7271546324d7b857596c 100644
--- a/roles/network_plugin/cilium/defaults/main.yml
+++ b/roles/network_plugin/cilium/defaults/main.yml
@@ -51,3 +51,6 @@ cilium_deploy_additionally: false
 # information about this kind of setups.
 cilium_auto_direct_node_routes: false
 cilium_native_routing_cidr: ""
+
+# IPsec based transparent encryption between nodes
+cilium_ipsec_enabled: false
\ No newline at end of file
diff --git a/roles/network_plugin/cilium/tasks/check.yml b/roles/network_plugin/cilium/tasks/check.yml
new file mode 100644
index 0000000000000000000000000000000000000000..88ebfe95834c1e3c506b0cecb7b2938ee83f40f5
--- /dev/null
+++ b/roles/network_plugin/cilium/tasks/check.yml
@@ -0,0 +1,9 @@
+---
+- name: Cilium | Check cilium_ipsec_enabled variables
+  assert:
+    that:
+      - "cilium_ipsec_key is defined"
+    msg: "cilium_ipsec_key should be defined to use cilium_ipsec_enabled"
+  when:
+    - cilium_ipsec_enabled
+    - cilium_tunnel_mode in ['vxlan']
\ No newline at end of file
diff --git a/roles/network_plugin/cilium/tasks/install.yml b/roles/network_plugin/cilium/tasks/install.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7a8750d5dac8da61fee318c7a1d176fe12385b01
--- /dev/null
+++ b/roles/network_plugin/cilium/tasks/install.yml
@@ -0,0 +1,48 @@
+---
+- name: Cilium | Ensure BPFFS mounted
+  mount:
+    fstype: bpf
+    path: /sys/fs/bpf
+    src: bpffs
+    state: mounted
+
+- name: Cilium | Create Cilium certs directory
+  file:
+    dest: "{{ cilium_cert_dir }}"
+    state: directory
+    mode: 0750
+    owner: root
+    group: root
+
+- name: Cilium | Link etcd certificates for cilium
+  file:
+    src: "{{ etcd_cert_dir }}/{{ item.s }}"
+    dest: "{{ cilium_cert_dir }}/{{ item.d }}"
+    state: hard
+    force: yes
+  with_items:
+    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
+    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
+    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
+
+- name: Cilium | Create Cilium node manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item.file }}"
+  with_items:
+    - {name: cilium, file: cilium-config.yml, type: cm}
+    - {name: cilium, file: cilium-crb.yml, type: clusterrolebinding}
+    - {name: cilium, file: cilium-cr.yml, type: clusterrole}
+    - {name: cilium, file: cilium-secret.yml, type: secret, when: cilium_ipsec_enabled}
+    - {name: cilium, file: cilium-ds.yml, type: ds}
+    - {name: cilium, file: cilium-deploy.yml, type: deploy}
+    - {name: cilium, file: cilium-sa.yml, type: sa}
+  register: cilium_node_manifests
+  when:
+    - inventory_hostname in groups['kube-master']
+
+- name: Cilium | Enable portmap addon
+  template:
+    src: 000-cilium-portmap.conflist.j2
+    dest: /etc/cni/net.d/000-cilium-portmap.conflist
+  when: cilium_enable_portmap
diff --git a/roles/network_plugin/cilium/tasks/main.yml b/roles/network_plugin/cilium/tasks/main.yml
index 2960c62535d45bfea0a8e5cc8ae634e1bc89d0e6..515536094faa85525b775de40f8e6680ea06904f 100644
--- a/roles/network_plugin/cilium/tasks/main.yml
+++ b/roles/network_plugin/cilium/tasks/main.yml
@@ -1,47 +1,4 @@
 ---
-- name: Cilium | Ensure BFPFS mounted
-  mount:
-    fstype: bpf
-    path: /sys/fs/bpf
-    src: bpffs
-    state: mounted
+- import_tasks: check.yml
 
-- name: Cilium | Create Cilium certs directory
-  file:
-    dest: "{{ cilium_cert_dir }}"
-    state: directory
-    mode: 0750
-    owner: root
-    group: root
-
-- name: Cilium | Link etcd certificates for cilium
-  file:
-    src: "{{ etcd_cert_dir }}/{{ item.s }}"
-    dest: "{{ cilium_cert_dir }}/{{ item.d }}"
-    state: hard
-    force: yes
-  with_items:
-    - {s: "{{ kube_etcd_cacert_file }}", d: "ca_cert.crt"}
-    - {s: "{{ kube_etcd_cert_file }}", d: "cert.crt"}
-    - {s: "{{ kube_etcd_key_file }}", d: "key.pem"}
-
-- name: Cilium | Create Cilium node manifests
-  template:
-    src: "{{ item.file }}.j2"
-    dest: "{{ kube_config_dir }}/{{ item.file }}"
-  with_items:
-    - {name: cilium, file: cilium-config.yml, type: cm}
-    - {name: cilium, file: cilium-crb.yml, type: clusterrolebinding}
-    - {name: cilium, file: cilium-cr.yml, type: clusterrole}
-    - {name: cilium, file: cilium-ds.yml, type: ds}
-    - {name: cilium, file: cilium-deploy.yml, type: deploy}
-    - {name: cilium, file: cilium-sa.yml, type: sa}
-  register: cilium_node_manifests
-  when:
-    - inventory_hostname in groups['kube-master']
-
-- name: Cilium | Enable portmap addon
-  template:
-    src: 000-cilium-portmap.conflist.j2
-    dest: /etc/cni/net.d/000-cilium-portmap.conflist
-  when: cilium_enable_portmap
+- include_tasks: install.yml
\ No newline at end of file
diff --git a/roles/network_plugin/cilium/templates/cilium-config.yml.j2 b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
index 4385f3baea9ebb1a91fab13c6b5191cfd2a356b1..d430fe733d4ea417c725c7e123a09fb775ba15ce 100644
--- a/roles/network_plugin/cilium/templates/cilium-config.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-config.yml.j2
@@ -155,3 +155,10 @@ data:
   hubble-metrics-server: ":9091"
 {% endif %}
 {% endif %}
+
+  # IPsec based transparent encryption between nodes
+{% if cilium_ipsec_enabled %}
+  enable-ipsec: "true"
+  ipsec-key-file: /etc/ipsec/keys
+  encrypt-node: "false"
+{% endif %}
\ No newline at end of file
diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
index 07eb78fb9dbe36cd9f833d08392a8d2b8d812d1f..1c79cc140ba90b6df0e4759017a6838e2ac92996 100644
--- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2
@@ -166,6 +166,11 @@ spec:
           readOnly: true
         - mountPath: /run/xtables.lock
           name: xtables-lock
+{% if cilium_ipsec_enabled %}
+        - mountPath: /etc/ipsec
+          name: cilium-ipsec-secrets
+          readOnly: true
+{% endif %}
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       hostPID: false
@@ -280,6 +285,11 @@ spec:
       - configMap:
           name: cilium-config
         name: cilium-config-path
+{% if cilium_ipsec_enabled %}
+      - name: cilium-ipsec-secrets
+        secret:
+          secretName: cilium-ipsec-keys
+{% endif %}
   updateStrategy:
     rollingUpdate:
       # Specifies the maximum number of Pods that can be unavailable during the update process.
diff --git a/roles/network_plugin/cilium/templates/cilium-secret.yml.j2 b/roles/network_plugin/cilium/templates/cilium-secret.yml.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a5fcc56eba38a83f90733c6b217ee735f094851b
--- /dev/null
+++ b/roles/network_plugin/cilium/templates/cilium-secret.yml.j2
@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+data:
+  keys: {{ cilium_ipsec_key }}
+kind: Secret
+metadata:
+  name: cilium-ipsec-keys
+  namespace: kube-system
+type: Opaque
\ No newline at end of file