/testing/guestbin/swan-prep --fips
Password changed successfully.
FIPS mode enabled.
east #
 ipsec checknss
east #
 PATH/bin/modutil -dbdir sql:/etc/ipsec.d -fips true -force
FIPS mode already enabled.
east #
 PATH/bin/modutil -dbdir sql:/etc/ipsec.d -chkfips true
FIPS mode enabled.
east #
 fipscheck
usage: fipscheck [-s <hmac-suffix>] <paths-to-files>
fips mode is on
east #
 ipsec start
Redirecting to: systemctl start ipsec.service
east #
 /testing/pluto/bin/wait-until-pluto-started
east #
 grep FIPS /tmp/pluto.log
FIPS Product: YES
FIPS Kernel: YES
FIPS Mode: YES
NSS Password from file "/etc/ipsec.d/nsspassword" for token "NSS FIPS 140-2 Certificate DB" with length 6 passed to NSS
FIPS HMAC integrity support [enabled]
FIPS mode enabled for pluto daemon
NSS library is running in FIPS mode
FIPS HMAC integrity verification self-test passed
Starting Pluto (Libreswan Version )
Encryption algorithm camellia_ctr disabled; not FIPS compliant
Encryption algorithm camellia disabled; not FIPS compliant
Encryption algorithm serpent disabled; not FIPS compliant
Encryption algorithm twofish disabled; not FIPS compliant
Encryption algorithm twofish_ssh disabled; not FIPS compliant
Encryption algorithm cast disabled; not FIPS compliant
Encryption algorithm null disabled; not FIPS compliant
Hash algorithm md5 disabled; not FIPS compliant
PRF algorithm md5 disabled; not FIPS compliant
Integrity algorithm md5 disabled; not FIPS compliant
DH algorithm MODP1024 disabled; not FIPS compliant
DH algorithm MODP1536 disabled; not FIPS compliant
FIPS Encryption algorithms:
  aes_ccm_16    IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm aes_ccm_c)
  aes_ccm_12    IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_b)
  aes_ccm_8     IKEv1:     ESP     IKEv2:     ESP     FIPS  {256,192,*128}  (aes_ccm_a)
  3des_cbc      IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  [*192]  (3des)
  aes_gcm_16    IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm aes_gcm_c)
  aes_gcm_12    IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_b)
  aes_gcm_8     IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_gcm_a)
  aes_ctr       IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aesctr)
  aes           IKEv1: IKE ESP     IKEv2: IKE ESP     FIPS  {256,192,*128}  (aes_cbc)
FIPS Hash algorithms:
  sha           IKEv1: IKE         IKEv2:             FIPS  (sha1)
  sha2_256      IKEv1: IKE         IKEv2:             FIPS  (sha2 sha256)
  sha2_384      IKEv1: IKE         IKEv2:             FIPS  (sha384)
  sha2_512      IKEv1: IKE         IKEv2:             FIPS  (sha512)
FIPS PRF algorithms:
  sha           IKEv1: IKE         IKEv2: IKE         FIPS  (sha1 hmac_sha1)
  sha2_256      IKEv1: IKE         IKEv2: IKE         FIPS  (sha2 sha256 hmac_sha2_256)
  sha2_384      IKEv1: IKE         IKEv2: IKE         FIPS  (sha384 hmac_sha2_384)
  sha2_512      IKEv1: IKE         IKEv2: IKE         FIPS  (sha512 hmac_sha2_512)
FIPS Integrity algorithms:
  sha           IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha1 sha1_96 hmac_sha1 hmac_sha1_96)
  sha2_512      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha512 hmac_sha2_512 hmac_sha2_512_256)
  sha2_384      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha384 hmac_sha2_384 hmac_sha2_384_192)
  sha2_256      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (sha2 sha256 hmac_sha2_256 hmac_sha2_256_128)
  aes_xcbc      IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_xcbc_96)
  aes_cmac      IKEv1:     ESP AH  IKEv2:     ESP AH  FIPS  (aes_cmac_96)
FIPS DH algorithms:
  MODP2048      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh14)
  MODP3072      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh15)
  MODP4096      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh16)
  MODP6144      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh17)
  MODP8192      IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  (dh18)
  DH19          IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_256)
  DH20          IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_384)
  DH21          IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  (ecp_521)
  DH23          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
  DH24          IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS
east #
 ipsec auto --add westnet-eastnet-md5
036 Failed to add connection "westnet-eastnet-md5" : ike string error: IKE PRF algorithm 'md5' is not supported, enc_alg="aes"(0), auth_alg="md5", modp=""
east #
 echo "initdone"
initdone
east #
 ipsec look
east NOW
XFRM state:
XFRM policy:
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1 
192.0.1.0/24 via 192.1.2.45 dev eth1 
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254 
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23 
192.9.2.0/24 dev eth2 proto kernel scope link src 192.9.2.23 
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
east #
east #
 ../bin/check-for-core.sh
east #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

