IPsec and IKEv2 as FIPS 140-2 Consumers

IP Security Architecture (IPsec) provides cryptographic protection for IP packets in IPv4 and IPv6 networks. Internet Key Management (IKE) provides automated key management for IPsec. In Oracle Solaris, IPsec is a consumer of the kernel Cryptographic Framework and IKE version 2 (IKEv2) is a consumer of the userland Cryptographic Framework. As the IPsec and IKE administrator, you are responsible for using IKEv2 with IPsec and for choosing FIPS 140-2 algorithms that are validated for Oracle Solaris.

Note:

IKEv1 does not use cryptographic algorithms that are validated for FIPS 140-2. Therefore, IKEv1 should not be used on a system that is running in FIPS 140-2 mode.

To ensure that IPsec and IKEv2 run in FIPS 140-2 mode, you must specify FIPS 140-2 algorithms after booting into an Oracle Solaris system where FIPS 140-2 mode is enabled. You are responsible for using FIPS 140-2 algorithms in IPsec and IKEv2 configuration files, and for key types and hash types for certificates and certificate signing requests (CSRs) that you generate with the ikev2cert command. For a summary list, see IPsec and FIPS 140-2 in Securing the Network in Oracle Solaris 11.4. For the full list of validated algorithms, review FIPS 140-2 Algorithms in the Cryptographic Framework.

See also:

• How to Use IPsec to Protect Web Server Communication With Other Servers in Securing the Network in Oracle Solaris 11.4

• How to Configure IKEv2 With Self-Signed Public Key Certificates in Securing the Network in Oracle Solaris 11.4

• ipsecconf(8), ikev2cert(8), ikev2.config(5), and pktool(1) man pages