[strongSwan] strongswan and FIPS

Sach K sacho.polo at gmail.com
Mon Apr 19 09:05:25 CEST 2021


Hello,

I had a few questions about strongswan and FIPs mode. Some of the earlier
discussions and threads on the subject have been great help, but I need
help with some clarifications. Your help would be greatly appreciated.

1. We use version 5.1.3 of strongswan with a few patches from later. Would
there be any advantages (related to FIPs compliance) by moving to a more
recent version? I understand moving to higher versions is better for
general sense, but for FIPs - would it matter?

2. I was able to get our version to compile with FIPS mode 2, and was able
to replace the ALG usage in ike (as seen in ipsec listalgs) to use openssl
plugin. This plugin would use the underlying openssl library on the system
and that openssl library is fips compatible and has the fips object module
for openssl installed. Would that be sufficient to say we are running
strongswan in fips mode? The strongswan libraries that implement crypto and
hmac are not compiled and packaged. We want to get everything from openssl.

3. Are there any other crypto implementations in strongswan that cannot be
turned off by autoconf compile flags?

4. Even when compiled in FIPS mode, I noticed that MD4, MD5, modp768 and
such are listed in ipsec stroke listalgs. To disable them, I had to pass in
the appropriate OPENSSL #ifdef compile flags via CFLAGS during compilation.
Is there a better way to do this, if I want to turn off the non-fips
compliant weaker algs?

5. Is there a difference between IKEv1 and IKEv2 compliance when it comes
to FIPS? Canonical's FIPs document for strongswan at NIST only mentions
IKEv2. I read that FIPS needs 128 bit keys and such, and since IKEv1 can
support 8 bytes (64 bits) nonces, would IKEv1 be considered incompatible?
Since strongswan uses 32 byte nonces, would that be considered compliant
for FIPS?

Thank you for reading this. Any help with the answers would be greatly
appreciated.

regards,
sk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210419/40783d07/attachment.html>


More information about the Users mailing list