[strongSwan] fail open mode for strongswan
trymes at rymes.com
Tue Feb 9 22:42:07 CET 2016
You could try setting up IPSec for only a portion of the subnet, using the subnet mask to limit which hosts use IPSec. Change the hosts within that portion of the subnet, then change the mask to include more hosts, set them to use IPSec, and keep going until the entire subnet is swapped over.
> On Feb 9, 2016, at 4:25 PM, Matthew Boedicker <mboedicker at pivotal.io> wrote:
> We want a policy which says try to use IPsec to all hosts in a subnet but fall back to clear communication if the other host doesn't support IPsec.
> This policy would be used to do a rolling deploy of strongSwan to an entire subnet with zero downtime. The hosts that get strongSwan still need to be able to talk to the hosts that have not been updated with strongSwan yet. When all hosts have strongSwan, then the insecure "mixed" mode would be turned off and IPsec would be required.
> It sounds like this setting may not exist because this is an atypical use case for strongSwan.
>> On Tue, Feb 9, 2016 at 11:52 AM, Andreas Steffen <andreas.steffen at strongswan.org> wrote:
>> Hi Matthew,
>> actually the default policy settings of the Linux kernel will
>> transmit all communications not matched by an IPsec policy in the
>> On 02/09/2016 07:23 PM, Matthew Boedicker wrote:
>> > Are there any configuration settings that can make strongswan "fail
>> > open" when in host-to-host transport mode? It would try to negotiate an
>> > encrypted connection but fall back to communicating in the clear if the
>> > encryption failed for some reason.
>> > Thanks.
>> Andreas Steffen andreas.steffen at strongswan.org
>> strongSwan - the Open Source VPN Solution! www.strongswan.org
>> Institute for Internet Technologies and Applications
>> University of Applied Sciences Rapperswil
>> CH-8640 Rapperswil (Switzerland)
> Users mailing list
> Users at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users