STIG ID: ALMA-09-003870 | SRG: SRG-OS-000033-GPOS-00014 | Severity: medium | CCI: | Vulnerability Id: V-269122
Overriding the system crypto policy makes the behavior of the Libreswan service violate expectations and makes the system configuration more fragmented.
Configure Libreswan to use the systemwide cryptographic policy.
Add the following line to "/etc/ipsec.conf":
include /etc/crypto-policies/back-ends/libreswan.config
Note: If the Libreswan package is not installed, this requirement is Not Applicable.
Verify that the IPsec service uses the system crypto policy with the following command:
$ grep -rE '^include ' /etc/ipsec.conf /etc/ipsec.d/
/etc/ipsec.conf:include /etc/crypto-policies/back-ends/libreswan.config
/etc/ipsec.conf:include /etc/ipsec.d/*.conf
If the IPsec configuration file does not contain "include /etc/crypto-policies/back-ends/libreswan.config", this is a finding.