/testing/guestbin/swan-prep --fips
Password changed successfully.
FIPS mode enabled.
east #
 ipsec checknss
east #
 PATH/bin/modutil -dbdir sql:/etc/ipsec.d -fips true -force
FIPS mode already enabled.
east #
 PATH/bin/modutil -dbdir sql:/etc/ipsec.d -chkfips true
FIPS mode enabled.
east #
 fipscheck
usage: fipscheck [-s <hmac-suffix>] <paths-to-files>
fips mode is on
east #
 ipsec start
Redirecting to: systemctl start ipsec.service
east #
 /testing/pluto/bin/wait-until-pluto-started
east #
 grep FIPS /tmp/pluto.log
FIPS Product: YES
FIPS Kernel: YES
FIPS Mode: YES
NSS Password from file "/etc/ipsec.d/nsspassword" for token "NSS FIPS 140-2 Certificate DB" with length 6 passed to NSS
FIPS HMAC integrity support [enabled]
FIPS mode enabled for pluto daemon
NSS library is running in FIPS mode
FIPS HMAC integrity verification self-test passed
Starting Pluto (Libreswan Version )
Encryption algorithm CAMELLIA_CTR disabled; not FIPS compliant
Encryption algorithm CAMELLIA_CBC disabled; not FIPS compliant
Encryption algorithm SERPENT_CBC disabled; not FIPS compliant
Encryption algorithm TWOFISH_CBC disabled; not FIPS compliant
Encryption algorithm TWOFISH_SSH disabled; not FIPS compliant
Encryption algorithm CAST_CBC disabled; not FIPS compliant
Encryption algorithm NULL disabled; not FIPS compliant
Hash algorithm MD5 disabled; not FIPS compliant
PRF algorithm HMAC_MD5 disabled; not FIPS compliant
Integrity algorithm HMAC_MD5_96 disabled; not FIPS compliant
DH algorithm MODP1024 disabled; not FIPS compliant
DH algorithm MODP1536 disabled; not FIPS compliant
FIPS Encryption algorithms:
  AES_CCM_16         IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
  AES_CCM_12         IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
  AES_CCM_8          IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
  3DES_CBC           IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
  AES_GCM_16         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
  AES_GCM_12         IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
  AES_GCM_8          IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
  AES_CTR            IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
  AES_CBC            IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes)
FIPS Hash algorithms:
  SHA1               IKEv1: IKE         IKEv2:             FIPS  (sha)
  SHA2_256           IKEv1: IKE         IKEv2:             FIPS  (sha2 sha256)
  SHA2_384           IKEv1: IKE         IKEv2:             FIPS  (sha384)
  SHA2_512           IKEv1: IKE         IKEv2:             FIPS  (sha512)
FIPS PRF algorithms:
  HMAC_SHA1          IKEv1: IKE         IKEv2: IKE         FIPS  (sha sha1)
  HMAC_SHA2_256      IKEv1: IKE         IKEv2: IKE         FIPS  (sha2 sha256 sha2_256)
  HMAC_SHA2_384      IKEv1: IKE         IKEv2: IKE         FIPS  (sha384 sha2_384)
  HMAC_SHA2_512      IKEv1: IKE         IKEv2: IKE         FIPS  (sha512 sha2_512)
FIPS Integrity algorithms:
  HMAC_SHA1_96       IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha sha1 sha1_96 hmac_sha1)
  HMAC_SHA2_512_256  IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha512 sha2_512 hmac_sha2_512)
  HMAC_SHA2_384_192  IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha384 sha2_384 hmac_sha2_384)
  HMAC_SHA2_256_128  IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 sha2_256 hmac_sha2_256)
  AES_XCBC_96        IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_xcbc)
  AES_CMAC_96        IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_cmac)
FIPS DH algorithms:
  MODP2048           IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh14)
  MODP3072           IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh15)
  MODP4096           IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh16)
  MODP6144           IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh17)
  MODP8192           IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh18)
  DH19               IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_256)
  DH20               IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_384)
  DH21               IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_521)
  DH23               IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
  DH24               IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
east #
 ipsec auto --add westnet-eastnet-md5
036 Failed to add connection "westnet-eastnet-md5" : ike string error: IKE PRF algorithm 'md5' is not supported, enc_alg="aes"(0), auth_alg="md5", modp=""
east #
 echo "initdone"
initdone
east #
 ipsec look
east NOW
XFRM state:
XFRM policy:
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1 
192.0.1.0/24 via 192.1.2.45 dev eth1 
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254 
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23 
192.9.2.0/24 dev eth2 proto kernel scope link src 192.9.2.23 
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
east #
east #
 ../bin/check-for-core.sh
east #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

