← Rules Catalog
highsystemunverified

Ensure Libreswan IPsec uses the system crypto policy

ipsec-crypto-policy · RHEL ≥ 8 · 1 impl

Description

If Libreswan (IPsec) is installed, /etc/ipsec.conf (or an included file) must include /etc/crypto-policies/back-ends/libreswan.config so IPsec tunnels use FIPS-approved algorithms.

Rationale

IPsec that does not inherit the system crypto policy may negotiate weak, non-FIPS algorithms, undermining tunnel confidentiality and integrity.

Check → Remediate

Checkcommand
if ! rpm -q libreswan >/dev/null 2>&1 && [ ! -f /etc/ipsec.conf ]; then
  echo "NOT APPLICABLE: Libreswan/IPsec not installed"
  exit 0
fi
if grep -rhqE '^\s*include\s+/etc/crypto-policies/back-ends/libreswan\.config' \
     /etc/ipsec.conf /etc/ipsec.d/*.conf 2>/dev/null; then
  echo "OK: IPsec includes the system crypto policy back-end"
  exit 0
fi
echo "FAIL: /etc/crypto-policies/back-ends/libreswan.config not included"
exit 1
expected_exit:
0
Remediatemanual
note:
Add to /etc/ipsec.conf: include /etc/crypto-policies/back-ends/libreswan.config

Framework references

STIG

V-281014 / RHEL-10-300070V-258232 / RHEL-09-671020V-279930 / RHEL-08-010280

NIST 800-53

AC-17(2)
#ipsec#libreswan#crypto-policy#fips#stig