I compiled and installed strongswan ipsec vpn successfully, as demonstrated by the fact that the service starts successfully:
as3:~# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 5.0.4 IPsec [starter]... as3:~#
When I run command ipsec pki --gen --outform pem > caKey.pem I see the error:
as3:~# ipsec pki --gen --outform pem > caKey.pem openssl FIPS mode(0) unavailable as3:~#
What does "openssl FIPS mode(0) unavailable" mean? How to fix it?
This message is logged in strongSwan 5.0.4 if OpenSSL is not compiled with FIPS mode enabled, that is if OPENSSL_FIPS is not defined in openssl/opensslconf.h.
In future releases it will only be logged if the user actually wants to use OpenSSL in FIPS mode, either by setting
--with-fips-mode=MODE
where MODE is either 0 (disabled, default), 1 (enabled), or 2 (Suite B enabled)
during ./configure or by setting
libstrongswan.plugins.openssl.fips_mode
same values as above, the default is also 0.
in strongswan.conf to a value != 0.
Therefore, if you dont't want to use OpenSSL in FIPS mode, as is indicated by the (0) in the log message you posted, you can safely ignore this message.
It seems you missed openssl fips mode plugin when you compiled strongswan.
libstrongswan.plugins.openssl.fips_mode
Set OpenSSL FIPS mode: disabled (0), enabled (1), Suite B enabled (2). Defaults to the value configured with the --with-fips-mode option
You can re-compile strongswan, or make change to openssl config:
# Default section
XXXX_conf = XXXX_options
...
[ XXXX_options ]
alg_section = algs
...
[ algs ]
fips_mode = yes
...
