Hi, Amazon wrote a guide on how to use Opportunistc IPsec to encrypt all your AWS node traffic (mesh encryption, AKA any-to-any encryption) https://aws.amazon.com/quickstart/architecture/libreswan-ipsec-mesh/ See below for the introduction of their guide. Paul This Quick Start deploys an opportunistic Internet Protocol Security (IPsec) mesh that sets up dynamic IPsec tunnels between your Amazon Elastic Compute Cloud (Amazon EC2) instances on the Amazon Web Services (AWS) Cloud. IPsec is a protocol for in-transit data protection between hosts. The manual configuration of site-to-site IPsec between multiple hosts can be an error-prone and intensive task, and the effort to keep the mesh parameters in sync can be significant. Using opportunistic IPsec, you can set up an IPsec mesh for a large number of hosts by using a simple and uniform configuration that does not need to change when you add or remove hosts. The Quick Start sets up an opportunistic IPsec mesh environment in about 5 minutes in your AWS account. The implementation uses Libreswan, an open-source implementation of IPsec encryption and Internet Key Exchange (IKE) version 2. The Quick Start sets up an environment that automates the following: - Configuration of opportunistic IPsec when EC2 instances are launched. - Generation of instance certificates and weekly re-enrollment. - IPsec monitoring metrics in Amazon CloudWatch for each EC2 instance. - Alarms and notifications through CloudWatch and Amazon Simple Notification Service (Amazon SNS) in case of IPsec setup or certificate re-enrollment failures. - An initial generation of a certificate authority (CA) root key if needed, including AWS Identity and Access Management (IAM) policies and customer master keys (CMKs) to protect the CA key and instance key. _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
