Opportunistic Encryption is the process of encrypting connections whenever they can be.
OE uses the Internet Key Exchange (IKE) and IPsec protocols. The objective is to allow encryption for secure communication without any pre-arrangement specific to the pair of systems involved. DNS is used to distribute the public keys of each system involved. This is resistant to passive attacks. The use of DNS Security (DNSSEC) secures this system against active attackers as well.
As a result, the administrative overhead is reduced from the square of the number of systems to a linear dependence, and it becomes possible to make secure communication the default even when the partner is not known in advance.
There a detailed technical description of the process, which is now available RFC4322. ftp://ftp.isi.edu/in-notes/rfc4322.txt. Comments on this document at http://www.rfc4322.org. Another copy of the document, and the history is at: http://www.sandelman.ca/SSW/freeswan/oeid/
There is a Quickstart guide.
There is a system you can test against at http://oetest.freeswan.org/
How to Turn off OpportunisticEncryption.
