Using a FIPS 140 Enabled System in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

IPsec and IKEv2 as FIPS 140 Consumers

IP Security Architecture (IPsec) provides cryptographic protection for IP packets in IPv4 and IPv6 networks. Internet Key Management (IKE) provides automated key management for IPsec. In Oracle Solaris, IPsec is a consumer of the kernel Cryptographic Framework and IKE version 2 (IKEv2) is a consumer of the userland Cryptographic Framework. As the IPsec and IKE administrator, you are responsible for using IKEv2 with IPsec and for choosing FIPS 140 algorithms that are validated for Oracle Solaris.

Note -  IKE version 1, IKEv1, uses algorithms that are not validated for FIPS 140 mode and therefore IKEv1 cannot run in FIPS 140 mode.

Examples of Enabling IPsec and IKEv2 in FIPS 140 Mode

    You use the ipsecconf, ipseckey, and ikev2cert commands with FIPs-validated algorithms to configure IPsec and IKEv2 in FIPS 140 mode.

  • In the following excerpt from an ipsecconf file, aes-ccm(256) is a FIPS 140-validated algorithm:

        {laddr machine1 raddr machine2} ipsec {encr_algs aes-ccm(256) sa shared}
  • The following excerpt from an ikev2cert command generates a certificate request with the FIPS 140-validated ECC algorithm, using curve secp521r1 and hash sha512:

        # ikev2cert gencsr label=FIPSokcsr \
        subject="C=Country, O=Company\, Inc., OU=CompanyServer, CN=Server" \
        keytype=ec curve=secp521r1 hash=sha512 \
  • In the following excerpt from an ikev2.config file, the AES algorithms in CBC mode with key lengths from 192 to 256 and sha384 are FIPS 140-validated algorithms:

        ikesa_xform { encr_alg aes(192..256) auth_alg sha384 dh_group 20 }