host-to-host ipsec using OpenSwan?

[ojbyer]

I'd like to setup ipsec with all the computers on my LAN to talk to each other. However, every guide I've found talks about network-to-network tunnels or host-to-network tunnels.

Is there any way to setup secure communication between all the hosts on my network without routing all traffic through one computer?

[think4urs11]

basic HowTos for Openswan and (as alternative) OpenVPN

HTH
T.
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself

[sundialsvc4]

When you configure a VPN tunnel, what you are effectively doing is building a connection between two specific computers (say) on the Internet, which permits a range of "local" addresses on each side to become accessible to users on the "other" network, as though they were, indeed, local. The connection, once made, can be one-way ("I can see you, but you can't see me"), or two-way.

Once the connection is successfully made, the host OS (Linux or otherwise) on each machine "automagically" sends traffic that is destined for the mapped range of local addresses through the tunnel to the other side. The process is entirely transparent, and occurs entirely in the respective kernels.

Subsystems like the OpenSwan or Racoon "ISAKMP" daemons are actually used only for the negotiation process that establishes the connection, whereby the two sides exchange "proposals" to decide how the traffic must be encrypted, how to deal with NAT-traversal through a firewall, and so-forth.

If you're mapping a large local network in this way, the easiest way to do it is with a VPN-enabled router appliance. It works exactly like an ordinary router but it's capable of using VPN encryption for specified links. A Linux (or other) computer can, of course, serve as the gateway instead. The local network's routers need to be told to send the traffic to the Linux box, and the Linux box needs to be told how to forward it.