[strongSwan] fail open mode for strongswan

Matthew Boedicker mboedicker at pivotal.io
Tue Feb 9 22:25:44 CET 2016

We want a policy which says try to use IPsec to all hosts in a subnet but
fall back to clear communication if the other host doesn't support IPsec.

This policy would be used to do a rolling deploy of strongSwan to an entire
subnet with zero downtime. The hosts that get strongSwan still need to be
able to talk to the hosts that have not been updated with strongSwan yet.
When all hosts have strongSwan, then the insecure "mixed" mode would be
turned off and IPsec would be required.

It sounds like this setting may not exist because this is an atypical use
case for strongSwan.

On Tue, Feb 9, 2016 at 11:52 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Matthew,
> actually the default policy settings of the Linux kernel will
> transmit all communications not matched by an IPsec policy in the
> clear.
> Regards
> Andreas
> On 02/09/2016 07:23 PM, Matthew Boedicker wrote:
> > Are there any configuration settings that can make strongswan "fail
> > open" when in host-to-host transport mode? It would try to negotiate an
> > encrypted connection but fall back to communicating in the clear if the
> > encryption failed for some reason.
> >
> > Thanks.
> >
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160209/92507a90/attachment.html>

More information about the Users mailing list