On Thu, 30 Nov 2017, Matt Hilt wrote:
Perhaps I found my issue. These lines are in my logs:
Nov 30 10:25:57: FIPS: ignored negotiationshunt=passthrough - packets MUST be
blocked in FIPS mode
Nov 30 10:25:57: FIPS: ignored failureshunt=passthrough - packets MUST be
blocked in FIPS mode
I assume this means there can be no failover at all in FIPS mode?
Ohh. you are in FIPS mode...
FIPS mode does not allow a fail-open tunnel. You have an interesting
case here though.....
Or I need to add the unconfigured hosts to my clear policy at least temporarily
to get what I am after?
That would be one way of temporarilly fixing it yes. In FIPS, you really
only have clear and private, and private-or-clear and clear-or-private
does not make much sense. Although some of this might depend on the FIPS
lab and NIST person you are talking to.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
