Two things to consider with IPSec: key exchange mechanisms as provided by packages like StrongSwan, and the actual encryption/authentication of packets that is typically being done by the kernel stack and I believe is based on the Kernel Crypto API. So I believe to do IPSec you do need both crypto "libraries" to be FIPS-validated, perhaps as separate crypto modules. Kevin On Tue, Apr 14, 2015 at 8:51 AM, jonetsu <jonetsu at teksavvy.com> wrote: > Salz, Rich wrote > > As the old joke goes, "if you have to ask, you can't afford it." > > Well, exploration can be free. I noticed that Strongswan uses a plug-in > architecture for crypto that seemingly allows the use of OpenSSL instead of > the kernel for crypto operations, for use under FIPS. Does anyone have an > idea of the order of magnitude in performance loss this could be for IPSec, > to use crypto from OpenSSL instead of the kernel ? > > Regards. > > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/openssl-users-FIPS-mode-restrictions-and-DES-tp57497p57541.html > Sent from the OpenSSL - User mailing list archive at Nabble.com. > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150414/8aed4853/attachment-0001.html>
