Federal Information Processing Standard (FIPS) 140-2 Module

You can install the FIPS 140-2 Module via a Security Patch.

After the FIPS 140-2 patch is installed, you can turn it On from the Settings > Configuration > General tab.

Turning On this setting will restart OpenVPN services and cause your VPN clients to disconnect and then reconnect to the gateways.

The FIPS 140-2 approved crypto functions are described in this Security Policy PDF. According to this document, the following algorithms that Aviatrix supports are FIPS 140-2 compliant:

IPsec Algorithms	Value
Phase 1 Authentication	SHA-1, SHA-512, SHA-384, SHA-256
Phase 1 DH Groups	2, 1, 5, 14, 15, 16, 17, 18
Phase 1 Encryption	AES-256-CBC, AES-192-CBC, AES-128-CBC, 3DES
Phase 2 Authentication	HMAC-SHA-1, HMAC-SHA-512, HMAC-SHA-384, HMAC-SHA-256
Phase 2 DH Groups	2, 1, 5, 14, 15, 16, 17, 18
Phase 2 Encryption	AES-256-CBC, AES-192-CBC, AES-128-CBC, AES-128-GCM-64, AES-128-GCM-96, AES-128-GCM-128, 3DES

IPsec Algorithms

Value

Phase 1 Authentication

SHA-1, SHA-512, SHA-384, SHA-256

Phase 1 DH Groups

2, 1, 5, 14, 15, 16, 17, 18

Phase 1 Encryption

AES-256-CBC, AES-192-CBC, AES-128-CBC, 3DES

Phase 2 Authentication

HMAC-SHA-1, HMAC-SHA-512, HMAC-SHA-384, HMAC-SHA-256

Phase 2 DH Groups

2, 1, 5, 14, 15, 16, 17, 18

Phase 2 Encryption

AES-256-CBC, AES-192-CBC, AES-128-CBC, AES-128-GCM-64, AES-128-GCM-96, AES-128-GCM-128, 3DES

SSL VPN encryption algorithm set on the server is AES-256-CBC. For OpenVPN clients running a version 2.3 or lower the negotiated algorithm would be AES-256-CBC. For OpenVPN clients running 2.4 or higher, the negotiated algorithm would be AES-256-GCM due to NCP (Negotiable Crypto Parameters).

The SSL VPN authentication algorithm is SHA512.