[Swan] new user, FIPS seems to be an issue
Paul Wouters
paul at nohats.ca
Tue Jun 15 19:57:08 UTC 2021
On Tue, 15 Jun 2021, Kozikowski, Mark wrote:
> I am a new user, and am trying to configure and run a libreswan Mesh instance.
Welcome :)
> Right now I have two nodes, and each is configured using the no-authorization setup as shown from the Libreswan wiki.
>
> I am using the exact ipsec.conf file from the wiki, except I am only using the clear-or-private:
>
> https://raw.githubusercontent.com/libreswan/libreswan/master/docs/examples/oe-upgrade-authnull.conf
>
> My problem seems to be related to FIPS.
>
> I noticed that /var/log/secure is stating that FIPS requires negotiationshunt and failureshut to be dropped.
>
> I believe that this is causing no communication between the two nodes.
The authby=null setting is not allowed in FIPS mode. FIPS requires
proper authentication of peers before it is allowed to send any
encrypted traffic.
You should probably use the certificate based OE/mesh setup, eg:
https://libreswan.org/wiki/HOWTO:_Enterprise_cloud_encryption
https://libreswan.org/wiki/HOWTO:_Opportunistic_IPsec
In such a setup, each node has its own certificate and all nodes share
the same trusted root certificate CA. So you can still add nodes to
the mesh without reconfiguring all other nodes, since existing nodes
and new nodes all share the same root of trust via their certificates.
Note that FIPS does not allow negotiationshunt=pass. That is, during the
IKE negotiation, it is not possible to "leak" the traffic until the
IPsec tunnel comes up. That can only be done in non-FIPS mode.
Paul
More information about the Swan
mailing list