[Swan-dev] FIPS Behavior Question

Kavinda Wewegama kavinda.wewegama at forcepoint.com
Sat May 1 02:05:18 UTC 2021

On 4/27/2021 8:08 PM, Paul Wouters wrote:
> On Tue, 27 Apr 2021, Wewegama, Kavinda wrote:
>> When FIPS is enabled, how does it affect Libreswan behavior besides 
>> enforcing certain cryptographic properties/restrictions?
> That should be the only difference. If something is rejected because of
> FIPS, there will be a clear log message about it.
>> The reason I ask is because I am noticing child/IPsec SAs getting 
>> unsynchronized between tunnel endpoints if FIPS is enabled and SELinux
>> Enforcing is turned on. In the past, I didn’t have issues with either 
>> FIPS by itself or with SELinux Enforcing by itself, but the
>> combination isn’t working well.
> That does not sound like a FIPS related problem with libreswan if you
> don't see clearly logged reasons of issues? Is there perhaps other FIPS
> restrictions that might be affecting the system from other components?

The issue wasn't FIPS related per se but tended to manifest more easily 
with FIPS enabled: https://github.com/libreswan/libreswan/issues/441

My hypothesis for why I observed this behavior with FIPS enabled is 
because enabling it triggers more chrony traffic which was not 
permitted, i.e. pluto's SELinux domain did not have `setcontext` 
permission against `chronyc_t`. But I don't have a way to confirm this.


> Paul

More information about the Swan-dev mailing list