This section explains how FIPS-compliant IKEv2 sessions operate, including enforcement modes, compatibility considerations, and regulatory benefits.
FIPS compliance for IKEv2 sessions is a security standard that
-
requires all IKEv2 sessions to use only cryptographic algorithms and key parameters approved by FIPS
-
can be enabled or disabled at the process or system level to enforce compliance, and
-
ensures that only IKEv2 sessions meeting FIPS criteria are established when FIPS mode is active.
From Cisco IOS XR Software Release 25.3.1, when you enable system-wide FIPS mode using the crypto fips-mode command, NCS 1014 enforces FIPS compliance for all applicable processes. This improves the security and visibility for IKEv2 sessions on your device.
-
When enabled, FIPS mode terminates all IKEv2sessions and allows only FIPS-compliant IKEv2 sessions to re-establish.
When disabled, non-FIPS-compliant IKEv2 sessions can be established, while existing IKEv2 sessions remain unaffected.
However, when system wide FIPS mode is enabled, some deployments may encounter compatibility issues if other vendors or applications do not support FIPS mode.
To address these challenges, from Release 25.4.1, the ikev2 fips-mode command is introduced to provide a more flexible solution that restricts only IKEv2 sessions.
This selective enablement empowers organizations to achieve regulatory compliance and maintain compatibility in mixed-vendor environments.
If you enable both IKEv2 fips-mode and global crypto fips-mode, the system sets FIPS mode one time. The most restrictive setting will have priority.