I have a requirement to secure all communications between our Linux instances on Amazon EC2 – we need to treat the EC2 network as compromised and therefore want to protect the data that's being transferred within the EC2 subnet(s). The instances to secure will all be on the same subnet. I'm a Windows bod with limited Linux abilities, so am familiar with IPSec terminology and can find my way around Linux, but haven't got a clue when it comes to setting up Linux IPSec environments.
Can anyone throw me some information for setting up IPSec between all (Linux) hosts on a subnet please? I can only find information that pertains to site-to-site connections, or host-to-host connections and nothing that covers all Lan communication. We're currently using OpenSwan for site-to-site VPNs if that helps.
Updated with more information
This is an example config (very basic to connect between two hosts using a pre-shared key):
conn test
type=tunnel
auto=start
authby=secret
left=10.0.2.4
right=10.0.2.5
pfs=yes
If I now want to secure all traffic between 4 hosts for instance (or 8,10,100 etc), is there a way to make the left and right parameters more generic, so they mean 'encrypt traffic between all hosts' rather than having to explicitly specify a left and right host.
My goal would be to achieve a generic configuration that has no hardcoded host IP's (subnets would be OK), so that we could include the configuration in our EC2 image.
Thanks Mick
Best Answer
The short story, yes, there should not be any problem to run tunnels between hosts on a subnet and instead of adding routes to networks behind endpoints you would have to add host routes (/32) instead.
A generic guide on how to set up a site to site tunnel could be of use: Building a site-to-site VPN with Debian/Ubuntu and Openswan
I would personally use OpenVPN because of it's much simpler nature but if IPSec is required you will have to use OpenSwan.