[Swan] GUIDE: Opportunistic IPsec mesh for Amazon EC2 instances on AWS

Paul Wouters paul at nohats.ca
Mon May 13 17:09:03 UTC 2019


Amazon wrote a guide on how to use Opportunistc IPsec to encrypt all
your AWS node traffic (mesh encryption, AKA any-to-any encryption)


See below for the introduction of their guide.


This Quick Start deploys an opportunistic Internet Protocol Security
(IPsec) mesh that sets up dynamic IPsec tunnels between your Amazon
Elastic Compute Cloud (Amazon EC2) instances on the Amazon Web Services
(AWS) Cloud.

IPsec is a protocol for in-transit data protection between hosts. The
manual configuration of site-to-site IPsec between multiple hosts can be
an error-prone and intensive task, and the effort to keep the mesh
parameters in sync can be significant. Using opportunistic IPsec, you
can set up an IPsec mesh for a large number of hosts by using a simple
and uniform configuration that does not need to change when you add or
remove hosts.

The Quick Start sets up an opportunistic IPsec mesh environment in about
5 minutes in your AWS account. The implementation uses Libreswan, an
open-source implementation of IPsec encryption and Internet Key Exchange
(IKE) version 2. The Quick Start sets up an environment that automates
the following:

- Configuration of opportunistic IPsec when EC2 instances are launched.
- Generation of instance certificates and weekly re-enrollment.
- IPsec monitoring metrics in Amazon CloudWatch for each EC2 instance.
- Alarms and notifications through CloudWatch and Amazon Simple
   Notification Service (Amazon SNS) in case of IPsec setup or certificate
   re-enrollment failures.
- An initial generation of a certificate authority (CA) root key if
   needed, including AWS Identity and Access Management (IAM) policies and
   customer master keys (CMKs) to protect the CA key and instance key.

More information about the Swan mailing list