RHEL 9 IP tunnels must use FIPS 140-3 approved cryptographic algorithms.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-258232	SRG-OS-000033-GPOS-00014	RHEL-09-671020	SV-258232r1045440_rule	2025-02-27	2

Description
Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations, and makes system configuration more fragmented.

ℹ️ Check
Verify that the IPsec service uses the system crypto policy with the following command: Note: If the ipsec service is not installed, this requirement is Not Applicable. $ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf /etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config If the ipsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding.

ℹ️ Check

Verify that the IPsec service uses the system crypto policy with the following command: Note: If the ipsec service is not installed, this requirement is Not Applicable. $ sudo grep include /etc/ipsec.conf /etc/ipsec.d/*.conf /etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config If the ipsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding.

✔️ Fix
Configure Libreswan to use the system cryptographic policy. Add the following line to "/etc/ipsec.conf": include /etc/crypto-policies/back-ends/libreswan.config