[Swan] Opportunistic encryption on a secondary interface
Paul Wouters
paul at nohats.ca
Thu Nov 30 17:01:05 UTC 2017
On Thu, 30 Nov 2017, Matt Hilt wrote:
> Perhaps I found my issue. These lines are in my logs:
> Nov 30 10:25:57: FIPS: ignored negotiationshunt=passthrough - packets MUST be blocked in FIPS mode
> Nov 30 10:25:57: FIPS: ignored failureshunt=passthrough - packets MUST be blocked in FIPS mode
>
> I assume this means there can be no failover at all in FIPS mode?
Ohh. you are in FIPS mode...
FIPS mode does not allow a fail-open tunnel. You have an interesting
case here though.....
> Or I need to add the unconfigured hosts to my clear policy at least temporarily
> to get what I am after?
That would be one way of temporarilly fixing it yes. In FIPS, you really
only have clear and private, and private-or-clear and clear-or-private
does not make much sense. Although some of this might depend on the FIPS
lab and NIST person you are talking to.
Paul
More information about the Swan
mailing list