RHEL 9 IP tunnels must use FIPS 140-2/140-3 approved cryptographic algorithms.

STIG ID: RHEL-09-671020  |  SRG: SRG-OS-000033-GPOS-00014 |  Severity: medium |  CCI: CCI-000068 |  Vulnerability Id: V-258232

Vulnerability Discussion

Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.

Check

Verify that the IPsec service uses the system crypto policy with the following command:

Note: If the ipsec service is not installed, this requirement is Not Applicable.

$ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf

/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config

If the ipsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding.

Fix

Configure Libreswan to use the system cryptographic policy.

Add the following line to "/etc/ipsec.conf":

include /etc/crypto-policies/back-ends/libreswan.config