FIPS 140-2 issue with pre-shared key

JohnK · August 2022

We have a Sonicwall TZ300 - we are running into issues with pre-shared keys being needed for a FIPS 140-2 environment.

The firewall is telling me: "Only IKE 3rd party certificate can be used for VPN tunnel in FIPS mode" while on their website they say: "VPN Policy pre-shared key length must be longer than 8 characters."

FIPS itself seems to allow pre-shared keys/private keys as well. Just in case Sonicwall wasn't giving me the full info, I also generated a key that had 384 bits, and one that had 48 - both had the same issue (including one generated by a Google generator).

Is there really no way, with Sonicwall, to use a pre-shared key with FIP mode enabled?

TKWITS · August 2022

Documentation is all over the place, but I've always gone by the rule that 3rd Party Certs are required for VPN tunnels.

http://help.sonicwall.com/help/sw/eng/8420/26/2/3/content/System_Settings.026.7.htm

https://www.sonicwall.com/support/knowledge-base/how-to-enable-the-fips-mode-checklist/210701195557547/

https://www.sonicwall.com/support/knowledge-base/how-do-i-enable-fips-mode/170505541129412/

FIPS is generally outdated anyway, but obviously serves a purpose.

From the U.S. government:

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3658.pdf

JohnK · August 2022

Blast, I didn't find that nist.gov thing, since finding documents on FIPS brings like 6 million pages up. So for Sonicwall with FIPS - it does require a cert. That's going to be difficult... while I don't find it necessary, some of our groups deal with secure data and call for it. I appreciate the help. :)

Join the Conversation

FIPS 140-2 issue with pre-shared key

Best Answer

Answers