<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>You could try setting up IPSec for only a portion of the subnet, using the subnet mask to limit which hosts use IPSec. Change the hosts within that portion of the subnet, then change the mask to include more hosts, set them to use IPSec, and keep going until the entire subnet is swapped over. </div><div><br>On Feb 9, 2016, at 4:25 PM, Matthew Boedicker <<a href="mailto:mboedicker@pivotal.io">mboedicker@pivotal.io</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr">We want a policy which says try to use IPsec to all hosts in a subnet but fall back to clear communication if the other host doesn't support IPsec.<div><br></div><div>This policy would be used to do a rolling deploy of strongSwan to an entire subnet with zero downtime. The hosts that get strongSwan still need to be able to talk to the hosts that have not been updated with strongSwan yet. When all hosts have strongSwan, then the insecure "mixed" mode would be turned off and IPsec would be required.<div><div><br></div></div></div><div>It sounds like this setting may not exist because this is an atypical use case for strongSwan.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 9, 2016 at 11:52 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Matthew,<br>
<br>
actually the default policy settings of the Linux kernel will<br>
transmit all communications not matched by an IPsec policy in the<br>
clear.<br>
<br>
Regards<br>
<br>
Andreas<br>
<span class=""><br>
On 02/09/2016 07:23 PM, Matthew Boedicker wrote:<br>
</span><div><div class="h5">> Are there any configuration settings that can make strongswan "fail<br>
> open" when in host-to-host transport mode? It would try to negotiate an<br>
> encrypted connection but fall back to communicating in the clear if the<br>
> encryption failed for some reason.<br>
><br>
> Thanks.<br>
><br>
<br>
</div></div>======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
===========================================================[ITA-HSR]==<br>
<br>
</blockquote></div><br></div>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Users mailing list</span><br><span><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a></span><br><span><a href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></span></div></blockquote></body></html>