Posted On: May 8, 2019

This Quick Start deploys an opportunistic Internet Protocol Security (IPsec) mesh that sets up dynamic IPsec tunnels between Amazon Elastic Compute Cloud (Amazon EC2) instances in your Amazon Web Services (AWS) account. 

IPsec is a protocol for in-transit data protection between hosts. The manual configuration of site-to-site IPsec between multiple hosts can be an error-prone and intensive task, and the effort to keep the mesh parameters in sync can be significant. Using opportunistic IPsec, you can set up an IPsec mesh for a large number of hosts by using a simple and uniform configuration that does not need to change when you add or remove hosts.

The Quick Start sets up an environment that automates the configuration of opportunistic IPsec when EC2 instances are launched. It also generates instance certificates with weekly re-enrollment, sets up IPsec monitoring metrics in Amazon CloudWatch, and configures alarms and notifications through CloudWatch and Amazon Simple Notification Service (Amazon SNS).

The Quick Start is automated by an AWS CloudFormation template that sets up the opportunistic IPsec mesh environment in about 5 minutes. The implementation uses Libreswan, an open-source implementation of IPsec encryption and Internet Key Exchange (IKE) version 2.

To get started:

You can also download the AWS CloudFormation templates that automate the deployment from GitHub.

To browse and launch other AWS Quick Start reference deployments, see our complete catalog.

Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices. This Quick Start was built by AWS solutions architects and security consultants.