6.8. 部署 FIPS 兼容 IPsec VPN

使用此流程基于 Libreswan 部署 FIPS 兼容 IPsec VPN 解决方案。以下步骤还允许您识别哪些加密算法可用,并在 FIPS 模式的 Libreswan 中禁用了哪些加密算法。

先决条件

  • AppStream存储库已启用。

流程

  1. 安装 libreswan 软件包: 

    # dnf install libreswan

  2. 如果您要重新安装 Libreswan,请删除其旧的 NSS 数据库: 

    # systemctl stop ipsec

# rm /var/lib/ipsec/nss/*db

  3. 启动 ipsec 服务,并启用该服务,以便其在引导时自动启动: 

    # systemctl enable ipsec --now

  4. 通过添加 ipsec 服务,将防火墙配置为允许 IKE、ESP 和 AH 协议的 500 和 4500/UDP 端口: 

    # firewall-cmd --add-service="ipsec"
# firewall-cmd --runtime-to-permanent

  5. 将系统切换到 FIPS 模式: 

    # fips-mode-setup --enable

  6. 重启您的系统以允许内核切换到 FIPS 模式: 

    # reboot

验证

  1. 确认 Libreswan 在 FIPS 模式下运行: 

    # ipsec whack --fipsstatus
000 FIPS mode enabled

  2. 或者,检查 systemd 日志中的 ipsec 单元条目: 

    $ journalctl -u ipsec
...
Jan 22 11:26:50 localhost.localdomain pluto[3076]: FIPS Mode: YES

  3. 以 FIPS 模式查看可用算法: 

    # ipsec pluto --selftest 2>&1 | head -6
Initializing NSS using read-write database "sql:/var/lib/ipsec/nss"
FIPS Mode: YES
NSS crypto library initialized
FIPS mode enabled for pluto daemon
NSS library is running in FIPS mode
FIPS HMAC integrity support [disabled]

  4. 使用 FIPS 模式查询禁用的算法: 

    # ipsec pluto --selftest 2>&1 | grep disabled
Encryption algorithm CAMELLIA_CTR disabled; not FIPS compliant
Encryption algorithm CAMELLIA_CBC disabled; not FIPS compliant
Encryption algorithm NULL disabled; not FIPS compliant
Encryption algorithm CHACHA20_POLY1305 disabled; not FIPS compliant
Hash algorithm MD5 disabled; not FIPS compliant
PRF algorithm HMAC_MD5 disabled; not FIPS compliant
PRF algorithm AES_XCBC disabled; not FIPS compliant
Integrity algorithm HMAC_MD5_96 disabled; not FIPS compliant
Integrity algorithm HMAC_SHA2_256_TRUNCBUG disabled; not FIPS compliant
Integrity algorithm AES_XCBC_96 disabled; not FIPS compliant
DH algorithm MODP1536 disabled; not FIPS compliant
DH algorithm DH31 disabled; not FIPS compliant

  5. 在 FIPS 模式中列出所有允许的算法和密码: 

    # ipsec pluto --selftest 2>&1 | grep ESP | grep FIPS | sed "s/^.*FIPS//"
aes_ccm, aes_ccm_c
aes_ccm_b
aes_ccm_a
NSS(CBC)  3des
NSS(GCM)  aes_gcm, aes_gcm_c
NSS(GCM)  aes_gcm_b
NSS(GCM)  aes_gcm_a
NSS(CTR)  aesctr
NSS(CBC)  aes
aes_gmac
NSS       sha, sha1, sha1_96, hmac_sha1
NSS       sha512, sha2_512, sha2_512_256, hmac_sha2_512
NSS       sha384, sha2_384, sha2_384_192, hmac_sha2_384
NSS       sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256
aes_cmac
null
NSS(MODP) null, dh0
NSS(MODP) dh14
NSS(MODP) dh15
NSS(MODP) dh16
NSS(MODP) dh17
NSS(MODP) dh18
NSS(ECP)  ecp_256, ecp256
NSS(ECP)  ecp_384, ecp384
NSS(ECP)  ecp_521, ecp521

其他资源