TOSS 5 IP tunnels must use FIPS 140-3-approved cryptographic algorithms.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282386TOSS-05-000466SV-282386r1200138_ruleCCI-000068high
Description
Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes system configuration more fragmented.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282386r1200138_chk)

Verify the IPsec service uses the system crypto policy using the following command: Note: If the IPsec service is not installed, this requirement is not applicable. $ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf /etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config If the ipsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding.

Fix Text (F-86852r1200137_fix)

Configure Libreswan to use the system cryptographic policy. Add the following line to "/etc/ipsec.conf": include /etc/crypto-policies/back-ends/libreswan.config