reference deployment

Opportunistic IPsec Mesh for Amazon EC2 Instances on AWS

Configure dynamic IPsec tunnels between Amazon EC2 instances

This Quick Start deploys an opportunistic Internet Protocol Security (IPsec) mesh that sets up dynamic IPsec tunnels between your Amazon Elastic Compute Cloud (Amazon EC2) instances on the Amazon Web Services (AWS) Cloud.

IPsec is a protocol for in-transit data protection between hosts. The manual configuration of site-to-site IPsec between multiple hosts can be an error-prone and intensive task, and the effort to keep the mesh parameters in sync can be significant. Using opportunistic IPsec, you can set up an IPsec mesh for a large number of hosts by using a simple and uniform configuration that does not need to change when you add or remove hosts.

The Quick Start sets up an opportunistic IPsec mesh environment in about 5 minutes in your AWS account. The implementation uses Libreswan, an open-source implementation of IPsec encryption and Internet Key Exchange (IKE) version 2. The Quick Start sets up an environment that automates the following:

  • Configuration of opportunistic IPsec when EC2 instances are launched.
  • Generation of instance certificates and weekly re-enrollment.
  • IPsec monitoring metrics in Amazon CloudWatch for each EC2 instance.
  • Alarms and notifications through CloudWatch and Amazon Simple Notification Service (Amazon SNS) in case of IPsec setup or certificate re-enrollment failures.
  • An initial generation of a certificate authority (CA) root key if needed, including AWS Identity and Access Management (IAM) policies and customer master keys (CMKs) to protect the CA key and instance key.

This Quick Start was developed by AWS.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  • The Quick Start sets up the following serverless architecture to provision IPsec mesh between your EC2 instances, optionally restricting it to a virtual private cloud (VPC):

    • Three AWS Lambda functions: for issuing a certificate, for setting up IPsec on an EC2 instance, and for re-enrolling certificates. Additionally, if you don’t have a pre-existing CA certificate and key, the Quick Start uses a fourth Lambda function to generate a CA certificate and to store it in a new Amazon Simple Storage Service (Amazon S3) bucket.
    • Two customer master keys (CMKs): for protecting the CA key and for protecting the host key in transit.
    • Three S3 buckets: for IPsec configuration, for the CA certificate and key, and for the host key.
    • A CloudWatch event upon launching the EC2 instance, and a scheduled weekly event for re-enrollment.
    • A CloudWatch alarm that watches for IPsec configuration failures, and an Amazon SNS topic that you can subscribe to, in order to receive notifications.

    The diagram illustrates the steps automated by the Quick Start IPsec environment. For a detailed description of each step, see the deployment guide.
  •  How to deploy
  • To deploy the opportunistic IPsec mesh environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at, and sign in to your account.
    2. Launch the Quick Start. The deployment takes about 5 minutes. 
    3. Configure the IPsec network by editing the files in the S3 bucket.
    4. (Optional) Launch an EC2 instance for testing.
    5. (Optional) Test the connection on the EC2 instance.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    Tip: After you deploy the Quick Start, we recommend that you enable the AWS Cost and Usage Report to track costs associated with the Quick Start. This report delivers billing metrics to an S3 bucket in your account. It provides cost estimates based on usage throughout each month, and finalizes the data at the end of the month. For more information about the report, see the AWS documentation.

    This Quick Start uses Libreswan, which is provided under the GNU General Public License, version 2.