RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.

STIG ID: RHEL-09-671020  |  SRG: SRG-OS-000033-GPOS-00014 | Severity: medium |  CCI: CCI-000068

Vulnerability Discussion

Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.

Check

Verify that the IPsec service uses the system crypto policy with the following command:

Note: If the ipsec service is not installed, this requirement is Not Applicable.

$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf

/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config

If the ipsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding.

Fix

Configure Libreswan to use the system cryptographic policy.

Add the following line to "/etc/ipsec.conf":

include /etc/crypto-policies/back-ends/libreswan.config
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.