IP Security Architecture (IPsec) provides cryptographic protection for IP packets in IPv4 and IPv6 networks. Internet Key Management (IKE) provides automated key management for IPsec. In Oracle Solaris, IPsec is a consumer of the kernel Cryptographic Framework and IKE version 2 (IKEv2) is a consumer of the userland Cryptographic Framework. As the IPsec and IKE administrator, you are responsible for using IKEv2 with IPsec and for choosing FIPS 140 algorithms that are validated for Oracle Solaris.
You use the ipsecconf, ipseckey, and ikev2cert commands with FIPs-validated algorithms to configure IPsec and IKEv2 in FIPS 140 mode.
In the following excerpt from an ipsecconf file, aes-ccm(256) is a FIPS 140-validated algorithm:
{laddr machine1 raddr machine2} ipsec {encr_algs aes-ccm(256) sa shared}
The following excerpt from an ikev2cert command generates a certificate request with the FIPS 140-validated ECC algorithm, using curve secp521r1 and hash sha512:
# ikev2cert gencsr label=FIPSokcsr \ subject="C=Country, O=Company\, Inc., OU=CompanyServer, CN=Server" \ keytype=ec curve=secp521r1 hash=sha512 \ outcsr=/tmp/FIPSokcsr
In the following excerpt from an ikev2.config file, the AES algorithms in CBC mode with key lengths from 192 to 256 and sha384 are FIPS 140-validated algorithms:
ikesa_xform { encr_alg aes(192..256) auth_alg sha384 dh_group 20 }
See also:
ipsecconf(1M), ikev2cert(1M), ikev2.config(4), and pktool(1) man pages