IPsec and FIPS 140-2

Language:

On a FIPS 140-2 enabled system, you are responsible for choosing only FIPS 140-2 approved algorithms when creating certificates and configuring IPsec. The procedures and examples in this guide use FIPS 140-2 approved algorithms except when the algorithm "any" is specified.

Note - If you have a strict requirement to use only FIPS 140-2 validated cryptography, you must be running the Oracle Solaris 11.3 SRU 5.6 release. Oracle completed a FIPS 140-2 validation against the Cryptographic Framework in this specific release. Later releases build on this validated foundation and includes software improvements that address performance, functionality, and reliability. Whenever possible, you should configure Oracle Solaris in FIPS 140-2 mode to take advantage of these improvements.

The following mechanisms are available to IPsec and approved for use in Oracle Solaris in FIPS 140-2 mode:

AES in CBC, CCM, and GCM modes in 128-bit to 256-bit key lengths
3DES
SHA1
SHA2 in 256-bit to 512-bit key lengths

For the definitive list of FIPS 140-2 approved algorithms for Oracle Solaris, follow the links in FIPS 140-2 Level 1 Guidance Documents for Oracle Solaris Systems in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3.