highsystemunverified
Ensure Libreswan IPsec uses the system crypto policy
ipsec-crypto-policy · RHEL ≥ 8 · 1 impl
Description
If Libreswan (IPsec) is installed, /etc/ipsec.conf (or an included file) must include /etc/crypto-policies/back-ends/libreswan.config so IPsec tunnels use FIPS-approved algorithms.
Rationale
IPsec that does not inherit the system crypto policy may negotiate weak, non-FIPS algorithms, undermining tunnel confidentiality and integrity.
Check → Remediate
Checkcommand
if ! rpm -q libreswan >/dev/null 2>&1 && [ ! -f /etc/ipsec.conf ]; then
echo "NOT APPLICABLE: Libreswan/IPsec not installed"
exit 0
fi
if grep -rhqE '^\s*include\s+/etc/crypto-policies/back-ends/libreswan\.config' \
/etc/ipsec.conf /etc/ipsec.d/*.conf 2>/dev/null; then
echo "OK: IPsec includes the system crypto policy back-end"
exit 0
fi
echo "FAIL: /etc/crypto-policies/back-ends/libreswan.config not included"
exit 1
- expected_exit:
- 0
Remediatemanual
- note:
- Add to /etc/ipsec.conf: include /etc/crypto-policies/back-ends/libreswan.config
Framework references
STIG
V-281014 / RHEL-10-300070V-258232 / RHEL-09-671020V-279930 / RHEL-08-010280
NIST 800-53
AC-17(2)
#ipsec#libreswan#crypto-policy#fips#stig