IPsec and IKEv2 as FIPS 140 Consumers

IP Security Architecture (IPsec) provides cryptographic protection for IP packets in IPv4 and IPv6 networks. Internet Key Management (IKE) provides automated key management for IPsec. In Oracle Solaris, IPsec is a consumer of the kernel Cryptographic Framework and IKE version 2 (IKEv2) is a consumer of the userland Cryptographic Framework. As the IPsec and IKE administrator, you are responsible for using IKEv2 with IPsec and for choosing FIPS 140 algorithms that are validated for Oracle Solaris.

Examples of Enabling IPsec and IKEv2 in FIPS 140 Mode

You use the ipsecconf, ipseckey, and ikev2cert commands with FIPs-validated algorithms to configure IPsec and IKEv2 in FIPS 140 mode.

• In the following excerpt from an ipsecconf file, aes-ccm(256) is a FIPS 140-validated algorithm:

      {laddr machine1 raddr machine2} ipsec {encr_algs aes-ccm(256) sa shared}

• The following excerpt from an ikev2cert command generates a certificate request with the FIPS 140-validated ECC algorithm, using curve secp521r1 and hash sha512:

      # ikev2cert gencsr label=FIPSokcsr \
      subject="C=Country, O=Company\, Inc., OU=CompanyServer, CN=Server" \
      keytype=ec curve=secp521r1 hash=sha512 \
      outcsr=/tmp/FIPSokcsr

• In the following excerpt from an ikev2.config file, the AES algorithms in CBC mode with key lengths from 192 to 256 and sha384 are FIPS 140-validated algorithms:

      ikesa_xform { encr_alg aes(192..256) auth_alg sha384 dh_group 20 }

See also:

• How to Use IPsec to Protect Web Server Communication With Other Servers in Securing the Network in Oracle Solaris 11.2

• How to Configure IKEv2 With Self-Signed Public Key Certificates in Securing the Network in Oracle Solaris 11.2

• How to Generate and Store Public Key Certificates for IKEv2 in Hardware in Securing the Network in Oracle Solaris 11.2

• ipsecconf(1M), ikev2cert(1M), ikev2.config(4), and pktool(1) man pages