Setkey, FIPS, and migration from CentOS 6.8 to 7.4

Support for security such as Firewalls and securing linux
Post Reply
dutsnekcirf
Posts: 55
Joined: 2015/11/24 20:33:44

Setkey, FIPS, and migration from CentOS 6.8 to 7.4

Post by dutsnekcirf » 2018/01/10 20:20:30

SCENARIO 1:
---------------------------------------------------------------------------------------------------------------------------
CentOS 6.8
Kernel: 2.6.32-642.6.2.el6.x86_64
ipsec-tools 0.8.2-1
Grub command line statement includes fips=1
setkey.conf file contains:
# Flush the SAD and SPD
flush;
spdflush;

# ESP SAs using 192 bit long keys (168 + 24 parity)
add 0.0.0.0 192.168.121.138 esp 0x201 -E 3des-cbc
<OUR KEY>;

# Security policies
spdadd 0.0.0.0/0 [any] 192.168.121.138 [1960] any -P in ipsec
esp/transport//require;
In this configuration setkey -D shows that the security policy was in fact loaded into the kernel.

SCENARIO 2:
-----------------------------------------------------------------------------------------------------------------------------
CentOS 7.4
Kernel: 3.10.0-693.11.1.el7.x86_64
ipsec-tools 0.8.2-1
Grub command line statement includes fips=1
setkey.conf file is same as above.

In this configuration setkey -D returns an error saying: "No SAD Entries" If I attempt to read the setkey.conf file into the kernel with "setkey -f /etc/setkey.conf" then I get an error saying: "The result of line 10: (NULL)."

If; however, I remove the "fips=1" from the kernel command line statement and reboot then setkey successfully loads the security policy into the kernel.

This leads me to believe that something has changed with the FIPS standard between CentOS 6.8 and CentOS 7.4. I'm wondering if 3des-cbc is no longer an approved cipher. Is it possible to force it to allow 3des-cbc while still maintaining fips=1 in the kernel statement? Any setkey, FIPS, and CentOS 7.4 experts out there that can help me out?

dutsnekcirf
Posts: 55
Joined: 2015/11/24 20:33:44

Re: Setkey, FIPS, and migration from CentOS 6.8 to 7.4

Post by dutsnekcirf » 2018/01/11 20:54:02

I've made some progress. I've learned how to add a Security Association (SA) using ip xfrm rather than using setkey provided by ipsec-tools. But I have not quite got it to work the way it used to. So far I can only add an SA if I include an AH sha1 cipher with it. Here's the command I'm using:
ip xfrm state add src 0.0.0.0 dst 192.168.121.138 proto esp spi 0x201 mode transport reqid 0 replay-window 0 auth sha1 0xecf02a5cf6568556e1bdcd961c7ec3f92afd01cc enc des3_ede 0x8a719c734fe8865738a3de780e49dc3f8fc40efcfa5687cc
In case anyone gets excited; those aren't the actual keys that we're going to use.

I don't want to use AH since we didn't use it before. If I remove the "auth sha1 0xecf02a5cf6568556e1bdcd961c7ec3f92afd01cc" portion then it fails to load the SA. Is it a requirement now that AH is included with ESP? The ip-xfrm man page is pretty cryptic on this.

In CentOS 6.8 our SA looked like this:

Code: Select all

src 0.0.0.0 dst 192.168.121.138
        proto esp spi 0x00000201 reqid 0 mode transport
        replay-window 0 
        enc cbc(des3_ede) 0x8a719c734fe8865738a3de780e49dc3f8fc40efcfa5687cc
        sel src 0.0.0.0/0 dst 0.0.0.0/0 
So far I've got it looking like this in CentOS 7.4:

Code: Select all

src 0.0.0.0 dst 192.168.121.138
        proto esp spi 0x00000201 reqid 0 mode transport
        replay-window 0 
        auth-trunc hmac(sha1) 0xecf02a5cf6568556e1bdcd961c7ec3f92afd01cc 96
        enc cbc(des3_ede) 0x8a719c734fe8865738a3de780e49dc3f8fc40efcfa5687cc
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 0.0.0.0/0 dst 0.0.0.0/0 
Anyone know how to adjust my ip xfrm command to make it look just like it did in CentOS 6.8?

Post Reply