From 909306c1c319964d1afa2ae0e3620f0b159f530d Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 22 Jan 2026 10:54:06 +0200
Subject: [PATCH 1/4] Enable libreswan_approved_tunnels rule for sle16

---
 products/sle16/profiles/hipaa.profile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/products/sle16/profiles/hipaa.profile b/products/sle16/profiles/hipaa.profile
index 94fc562559a9..7208d847bc5d 100644
--- a/products/sle16/profiles/hipaa.profile
+++ b/products/sle16/profiles/hipaa.profile
@@ -48,7 +48,6 @@ selections:
     - '!file_permissions_user_cfg'
     - '!grub2_admin_username'
     - '!grub2_uefi_admin_username'
-    - '!libreswan_approved_tunnels'
     - '!package_rsh_removed'
     - '!package_rsh-server_removed'
     - '!package_talk_removed'

From 779a7206c7b8bee4b79a1d5a991fbf3fe8f2256c Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 22 Jan 2026 10:55:20 +0200
Subject: [PATCH 2/4] Adapt libreswan_approved_tunnels for sle16 and sle15

Use checks and remediation instructions references with strongswan, as it is the default IPSec solution for sle15 and sle16 platforms
---
 .../policy/stig/shared.yml                    |  9 +++++++-
 .../libreswan_approved_tunnels/rule.yml       | 23 +++++++++++++++++++
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/policy/stig/shared.yml b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/policy/stig/shared.yml
index ab4d53964856..17cb971f1309 100644
--- a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/policy/stig/shared.yml
+++ b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/policy/stig/shared.yml
@@ -9,14 +9,21 @@ checktext: |-
 
     Determine if the "IPsec" service is active with the following command:
 
+    {{% if product in ['sle15', 'sle16'] %}}
     $ systemctl is-active ipsec
+    {{% else %}}
+    $ systemctl is-active strongswan
+    {{% endif %}}
 
     Inactive
 
     If the "IPsec" service is active, check for configured IPsec connections ("conn"), with the following command:
 
     $ sudo grep -rni conn /etc/ipsec.conf /etc/ipsec.d/
-
+    {{% if product in ['sle15', 'sle16'] %}}
+    Also:
+    $ sudo grep -rni conn /etc/swanctl/swanctl.conf /etc/swanctl/conf.d/
+    {{% endif %}}
     Verify any returned results are documented with the ISSO.
 
     If the IPsec tunnels are active and not approved, this is a finding.
diff --git a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml
index e479600d1a93..2c3fa2c123af 100644
--- a/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml
+++ b/linux_os/guide/system/network/network-ipsec/libreswan_approved_tunnels/rule.yml
@@ -8,7 +8,11 @@ description: |-
     and IKE, which permits the creation of secure tunnels over
     untrusted networks. As such, IPsec can be used to circumvent certain
     network requirements such as filtering. Verify that if any IPsec connection
+    {{% if product in ['sle15', 'sle16'] %}}
+    (<tt>conn</tt>) configured in <tt>/etc/swanctl/swanctl.conf</tt> and <tt>/etc/swanctl/conf.d/</tt>
+    {{% else %}}
     (<tt>conn</tt>) configured in <tt>/etc/ipsec.conf</tt> and <tt>/etc/ipsec.d</tt>
+    {{% endif %}}
     exists is an approved organizational connection.
 
 rationale: 'IP tunneling mechanisms can be used to bypass network filtering.'
@@ -20,6 +24,7 @@ identifiers:
     cce@rhel9: CCE-90319-5
     cce@rhel10: CCE-87382-8
     cce@sle15: CCE-91153-7
+    cce@sle16: CCE-95793-6
 
 references:
     cis-csc: 1,12,13,14,15,16,18,4,6,8,9
@@ -41,18 +46,36 @@ ocil: |-
     {{% if 'rhel' in product or 'ol' in families %}}
     # {{{ pkg_manager }}} list installed libreswan
     libreswan.x86-64 3.20-5.el7_4
+    {{% elif product in ['sle15', 'sle16'] %}}
+    strongswan
     {{% endif %}}
 
+    {{% if product in ['sle15', 'sle16'] %}}
+    If "libreswan" is installed, check to see if the "IPsec" service is active with the following command:
+    {{% else %}}
     If "libreswan" is installed, check to see if the "IPsec" service is active with the following command:
+    {{% endif %}}
 
+    {{% if product in ['sle15', 'sle16'] %}}
+    # systemctl status strongswan
+    strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
+    Loaded: loaded (/usr/lib/systemd/system/strongswan.service; disabled; preset: disabled)
+    Active: inactive (dead)
+    {{% else %}}
     # systemctl status ipsec
     ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled)
     Active: inactive (dead)
+    {{% endif %}}
 
 
     If the "IPsec" service is active, check for configured IPsec connections (<tt>conn</tt>), perform the following:
     <pre>grep -rni conn /etc/ipsec.conf /etc/ipsec.d/</pre>
+    {{% if product in ['sle15', 'sle16'] %}}
+    Also:
+    <pre>grep -rni conn /etc/swanctl/swanctl.conf /etc/swanctl/conf.d/</pre>
+    {{% endif %}}
+
     Verify any returned results for organizational approval.
 
 fixtext: |-

From 3f187147fd3dc55eaaf3545f853d06f175c768e1 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 22 Jan 2026 10:57:10 +0200
Subject: [PATCH 3/4] strongswan package is the libreswan alternative for sle15
 and sle16

---
 shared/applicability/package.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/shared/applicability/package.yml b/shared/applicability/package.yml
index 7a6ee2ffc985..5f81f2c90524 100644
--- a/shared/applicability/package.yml
+++ b/shared/applicability/package.yml
@@ -57,7 +57,7 @@ args:
     pkgname: libpwquality
     {{% endif %}}
   libreswan:
-    {{% if product == "sle15" %}}
+    {{% if product in  ["sle15", "sle16"] %}}
     pkgname: strongswan-ipsec
     {{% else %}}
     pkgname: libreswan

From 9a2a79aeb7db25c614ed44a0f3f603826983efc8 Mon Sep 17 00:00:00 2001
From: teacup-on-rockingchair
 <315160+teacup-on-rockingchair@users.noreply.github.com>
Date: Thu, 22 Jan 2026 10:57:51 +0200
Subject: [PATCH 4/4] Allocate CCE for sle16 support for
 libreswan_approved_tunnels rule

---
 shared/references/cce-sle16-avail.txt | 1 -
 1 file changed, 1 deletion(-)

diff --git a/shared/references/cce-sle16-avail.txt b/shared/references/cce-sle16-avail.txt
index 77ac5a0f06cc..104b04c8b550 100644
--- a/shared/references/cce-sle16-avail.txt
+++ b/shared/references/cce-sle16-avail.txt
@@ -57,7 +57,6 @@ CCE-95788-6
 CCE-95789-4
 CCE-95790-2
 CCE-95791-0
-CCE-95793-6
 CCE-95794-4
 CCE-95795-1
 CCE-95796-9