5.8. 部署符合 FIPS 的 IPsec VPN

流程

1. 安装 libreswan 软件包：

   # yum install libreswan

   Copy to Clipboard Toggle word wrap

2. 如果您要重新安装 Libreswan，请删除其旧的 NSS 数据库：

   # systemctl stop ipsec
   # rm /etc/ipsec.d/*db

   Copy to Clipboard Toggle word wrap

3. 启动 ipsec 服务，并启用该服务，以便其在引导时自动启动：

   # systemctl enable ipsec --now

   Copy to Clipboard Toggle word wrap

4. 通过添加 ipsec 服务，将防火墙配置为允许 IKE、ESP 和 AH 协议的 500 和 4500 UDP 端口：

   # firewall-cmd --add-service="ipsec"
   # firewall-cmd --runtime-to-permanent

   Copy to Clipboard Toggle word wrap

5. 将系统切换到 FIPS 模式：

   # fips-mode-setup --enable

   Copy to Clipboard Toggle word wrap

6. 重启您的系统以允许内核切换到 FIPS 模式：

   # reboot

   Copy to Clipboard Toggle word wrap

验证

1. 确认 Libreswan 是否在 FIPS 模式下运行：

   # ipsec whack --fipsstatus
   000 FIPS mode enabled

   Copy to Clipboard Toggle word wrap

2. 或者，检查 systemd 日志中的 ipsec 单元条目：

   $ journalctl -u ipsec
   ...
   Jan 22 11:26:50 localhost.localdomain pluto[3076]: FIPS Product: YES
   Jan 22 11:26:50 localhost.localdomain pluto[3076]: FIPS Kernel: YES
   Jan 22 11:26:50 localhost.localdomain pluto[3076]: FIPS Mode: YES

   Copy to Clipboard Toggle word wrap

3. 以 FIPS 模式查看可用算法：

   # ipsec pluto --selftest 2>&1 | head -11
   FIPS Product: YES
   FIPS Kernel: YES
   FIPS Mode: YES
   NSS DB directory: sql:/etc/ipsec.d
   Initializing NSS
   Opening NSS database "sql:/etc/ipsec.d" read-only
   NSS initialized
   NSS crypto library initialized
   FIPS HMAC integrity support [enabled]
   FIPS mode enabled for pluto daemon
   NSS library is running in FIPS mode
   FIPS HMAC integrity verification self-test passed

   Copy to Clipboard Toggle word wrap

4. 使用 FIPS 模式查询禁用的算法：

   # ipsec pluto --selftest 2>&1 | grep disabled
   Encryption algorithm CAMELLIA_CTR disabled; not FIPS compliant
   Encryption algorithm CAMELLIA_CBC disabled; not FIPS compliant
   Encryption algorithm SERPENT_CBC disabled; not FIPS compliant
   Encryption algorithm TWOFISH_CBC disabled; not FIPS compliant
   Encryption algorithm TWOFISH_SSH disabled; not FIPS compliant
   Encryption algorithm NULL disabled; not FIPS compliant
   Encryption algorithm CHACHA20_POLY1305 disabled; not FIPS compliant
   Hash algorithm MD5 disabled; not FIPS compliant
   PRF algorithm HMAC_MD5 disabled; not FIPS compliant
   PRF algorithm AES_XCBC disabled; not FIPS compliant
   Integrity algorithm HMAC_MD5_96 disabled; not FIPS compliant
   Integrity algorithm HMAC_SHA2_256_TRUNCBUG disabled; not FIPS compliant
   Integrity algorithm AES_XCBC_96 disabled; not FIPS compliant
   DH algorithm MODP1024 disabled; not FIPS compliant
   DH algorithm MODP1536 disabled; not FIPS compliant
   DH algorithm DH31 disabled; not FIPS compliant

   Copy to Clipboard Toggle word wrap

5. 在 FIPS 模式中列出所有允许的算法和密码：

   # ipsec pluto --selftest 2>&1 | grep ESP | grep FIPS | sed "s/^.*FIPS//"
   {256,192,*128}  aes_ccm, aes_ccm_c
   {256,192,*128}  aes_ccm_b
   {256,192,*128}  aes_ccm_a
   [*192]  3des
   {256,192,*128}  aes_gcm, aes_gcm_c
   {256,192,*128}  aes_gcm_b
   {256,192,*128}  aes_gcm_a
   {256,192,*128}  aesctr
   {256,192,*128}  aes
   {256,192,*128}  aes_gmac
   sha, sha1, sha1_96, hmac_sha1
   sha512, sha2_512, sha2_512_256, hmac_sha2_512
   sha384, sha2_384, sha2_384_192, hmac_sha2_384
   sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
   aes_cmac
   null
   null, dh0
   dh14
   dh15
   dh16
   dh17
   dh18
   ecp_256, ecp256
   ecp_384, ecp384
   ecp_521, ecp521

   Copy to Clipboard Toggle word wrap