5.8. 部署 FIPS 兼容 IPsec VPN
您可以使用 Libreswan 部署 FIPS 兼容 IPsec VPN 解决方案。要做到这一点,您可以识别哪些加密算法可用,且 Libreswan 在 FIPS 模式中禁用。
前提条件
-
AppStream存储库已启用。
流程
安装
libreswan软件包:# yum install libreswan如果您要重新安装 Libreswan,请删除其旧的 NSS 数据库:
# systemctl stop ipsec # rm /etc/ipsec.d/*db
启动
ipsec服务,并启用该服务,以便其在引导时自动启动:# systemctl enable ipsec --now通过添加
ipsec服务,将防火墙配置为允许 IKE、ESP 和 AH 协议的500和4500UDP 端口:# firewall-cmd --add-service="ipsec" # firewall-cmd --runtime-to-permanent
将系统切换到 FIPS 模式:
# fips-mode-setup --enable重启您的系统以允许内核切换到 FIPS 模式:
# reboot
验证
确认 Libreswan 在 FIPS 模式下运行:
# ipsec whack --fipsstatus 000 FIPS mode enabled或者,检查
systemd日志中的ipsec单元条目:$ journalctl -u ipsec ... Jan 22 11:26:50 localhost.localdomain pluto[3076]: FIPS Product: YES Jan 22 11:26:50 localhost.localdomain pluto[3076]: FIPS Kernel: YES Jan 22 11:26:50 localhost.localdomain pluto[3076]: FIPS Mode: YES以 FIPS 模式查看可用算法:
# ipsec pluto --selftest 2>&1 | head -11 FIPS Product: YES FIPS Kernel: YES FIPS Mode: YES NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode enabled for pluto daemon NSS library is running in FIPS mode FIPS HMAC integrity verification self-test passed使用 FIPS 模式查询禁用的算法:
# ipsec pluto --selftest 2>&1 | grep disabled Encryption algorithm CAMELLIA_CTR disabled; not FIPS compliant Encryption algorithm CAMELLIA_CBC disabled; not FIPS compliant Encryption algorithm SERPENT_CBC disabled; not FIPS compliant Encryption algorithm TWOFISH_CBC disabled; not FIPS compliant Encryption algorithm TWOFISH_SSH disabled; not FIPS compliant Encryption algorithm NULL disabled; not FIPS compliant Encryption algorithm CHACHA20_POLY1305 disabled; not FIPS compliant Hash algorithm MD5 disabled; not FIPS compliant PRF algorithm HMAC_MD5 disabled; not FIPS compliant PRF algorithm AES_XCBC disabled; not FIPS compliant Integrity algorithm HMAC_MD5_96 disabled; not FIPS compliant Integrity algorithm HMAC_SHA2_256_TRUNCBUG disabled; not FIPS compliant Integrity algorithm AES_XCBC_96 disabled; not FIPS compliant DH algorithm MODP1024 disabled; not FIPS compliant DH algorithm MODP1536 disabled; not FIPS compliant DH algorithm DH31 disabled; not FIPS compliant在 FIPS 模式中列出所有允许的算法和密码:
# ipsec pluto --selftest 2>&1 | grep ESP | grep FIPS | sed "s/^.*FIPS//" {256,192,*128} aes_ccm, aes_ccm_c {256,192,*128} aes_ccm_b {256,192,*128} aes_ccm_a [*192] 3des {256,192,*128} aes_gcm, aes_gcm_c {256,192,*128} aes_gcm_b {256,192,*128} aes_gcm_a {256,192,*128} aesctr {256,192,*128} aes {256,192,*128} aes_gmac sha, sha1, sha1_96, hmac_sha1 sha512, sha2_512, sha2_512_256, hmac_sha2_512 sha384, sha2_384, sha2_384_192, hmac_sha2_384 sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 aes_cmac null null, dh0 dh14 dh15 dh16 dh17 dh18 ecp_256, ecp256 ecp_384, ecp384 ecp_521, ecp521
其他资源
