I'm not familiar with high end networking equipment so I might still not understand fully what a LTM does.

Wireguard has a keep-alive functionality to keep the NAT tunnel open and re-connects if something changes in the connection (i.e. for example the client is transitioning from a wifi to a LTE connection). The lowest value you can set this is to send acks every second, with default value of 25.

Does it still need configuration in the LTM to maintain a persistent state or does this suffice?


Afaik Wireguard can do that already, aka you can set a single "server" instance that knows all "clients" in its config and then set all clients to only know the "server" in their config, the "hub and spoke" topology. https://www.jordanwhited.com/posts/wireguard-endpoint-discovery-nat-traversal/
Everyone will be able to see everyone else even if the clients don't know all IPs or keys, but of course everything will be routed through the "VIP" server because that's the only one that knows all clients. (in that article the guy goes on and adds the ability to bypass the VIP when sending stuff between peers, but of course you still need the VIP for the first connection)

This is more or less the "default" situation for most people, with all their devices inside a NATted network that are connecting to a single "server" in a cheapo cloud VM or their home server with a public IP.

A simpler protocol is better. CC20 will be fast anyways, as it's based around basic bitshifts, which any processor can do effeciently anyways.