---------------------------------------------------------------------------------------------------------------------------
CentOS 6.8
Kernel: 2.6.32-642.6.2.el6.x86_64
ipsec-tools 0.8.2-1
Grub command line statement includes fips=1
setkey.conf file contains:
In this configuration setkey -D shows that the security policy was in fact loaded into the kernel.# Flush the SAD and SPD
flush;
spdflush;
# ESP SAs using 192 bit long keys (168 + 24 parity)
add 0.0.0.0 192.168.121.138 esp 0x201 -E 3des-cbc
<OUR KEY>;
# Security policies
spdadd 0.0.0.0/0 [any] 192.168.121.138 [1960] any -P in ipsec
esp/transport//require;
SCENARIO 2:
-----------------------------------------------------------------------------------------------------------------------------
CentOS 7.4
Kernel: 3.10.0-693.11.1.el7.x86_64
ipsec-tools 0.8.2-1
Grub command line statement includes fips=1
setkey.conf file is same as above.
In this configuration setkey -D returns an error saying: "No SAD Entries" If I attempt to read the setkey.conf file into the kernel with "setkey -f /etc/setkey.conf" then I get an error saying: "The result of line 10: (NULL)."
If; however, I remove the "fips=1" from the kernel command line statement and reboot then setkey successfully loads the security policy into the kernel.
This leads me to believe that something has changed with the FIPS standard between CentOS 6.8 and CentOS 7.4. I'm wondering if 3des-cbc is no longer an approved cipher. Is it possible to force it to allow 3des-cbc while still maintaining fips=1 in the kernel statement? Any setkey, FIPS, and CentOS 7.4 experts out there that can help me out?