[sle-beta] [sles-beta] StrongSWAN...

Matthias G. Eckermann mge at suse.com
Mon Jul 24 15:48:20 MDT 2017

Hello Joel and all,

thanks for your recommendation. As you are working in the FIPS
context, you are aware of the quite rigid requirements with
respect to code updates, the time a FIPS validation needs, and
the efforts associated with this.

That said, the plan for re-validating our SLE 12 SP2 and SP3
security modules for FIPS 140-2 is already in process, and thus
your are not only "late", but really "too late", I am afraid.

Your recommendation is valid for the upcoming SLE 15 though.

Kind regards -
So long -

On 2017-07-24 T 15:35 -0500 Joel Barbieri wrote:
> Yes...I'm late...but everything has been working spectacularly...until I
> needed to implement a new security requirement for our product...which
> currently is best resolved with a newer strongswan...version 5.3.3 or
> newer.  I am needing to guarantee that all [backend] traffic between hosts
> in our clustered application is encrypted.  As a cheat, I think VPN...and I
> tried the strongswan "trap-any" configuration.  This does not work with
> 5.1...and has a few bug reports indicating it is broken until 5.3.3.  It's
> such a horribly simple and elegant solution too...  I tried the tumbleweed
> package [based on 5.3.5], and it brings up tunnels just as I want it too,
> where 5.1 simply thinks there is nothing to be done.  Of course, the 5.3.5
> from tumbleweed doesn't work in FIPS mode [or at least when compiled to be
> more native to SLES12SP3 it experiences a failure in drbg.c line 1841
> _gcry_drbg_randomize: No output buffer provided], which means I still have
> work to do....but that could just be having a non-FIPS option specified in
> my configuration...PSK seems a little questionable for FIPS.
> Would anyone else second having a more up to date strongswan that worked in
> FIPS mode and could provide VPN encryption automatically between hosts they
> deployed in the cloud?
> I mean really, would you want to turn your back on something where your
> solution was simply:
> # ipsec.conf - strongSwan IPsec configuration file
> config setup
>         charondebug="knl 2"
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
> conn trap-any
>         right=%any
>         leftsubnet=
>         rightsubnet=
>         type=transport
>         authby=psk
>         auto=route
> versus having to get into something far more chaotic?
> -Joel

> _______________________________________________
> sle-beta mailing list
> sle-beta at lists.suse.com
> http://lists.suse.com/mailman/listinfo/sle-beta

Matthias G. Eckermann, Director Product Management SUSE Linux Enterprise
SUSE Linux GmbH, GF:  Felix Imendörffer,  Jane Smithard,  Graham Norton,
HRB 21284 (AG Nürnberg)

More information about the sle-beta mailing list