Hey all. I'm a sysadmin for a small MSP and we've just inherited a new client, a police department. Their desktop machines (win10/win11) are all domain joined and hardwired and there are no wireless networks. They have an HA pair of Sonicwall TZ270 firewalls guarding the gate. A new request has come through to add several laptops to their domain. These laptops will be used in patrol vehicles and need to be connected back to their LAN subnet and the domain controller (win server 2022).

Since they're a police department, they have to comply with CJIS regulations, and my understanding is that the connection between the laptops and LAN subnet has to use FIPS 140-2 validated cryptography. (The possibility exists that CJI, the sensitive data that requires protection, may transit this connection.) This is all new territory for me, but I did some digging and learned that their firewalls are already running in FIPS mode. So that's a start.

I'm completely confused though on what needs to happen on the laptop side of this equation. The laptops are all running win10/win11 and I know that I can enable FIPS mode through group policy. In fact, I tried this and it doesn't work. The Sonicwalls require SHA256 authentication to remain in FIPS mode and the only way that I could get the laptops to connect was to change the Sonicwalls to SHA1, which knocks them out of FIPS mode. I found a list online that suggests that win10/win11 only support SHA1 for authentication which is kind of strange. (I was connecting via the built-in L2TP/IPSec VPN client.)

Sonicwall has a couple of VPN clients, but none appear to be FIPS validated. So I'm at a loss here. For those with more experience on the subject matter, how would you connect these laptops to the main network while remaining compliant with the FIPS 140-2 validation requirement? The laptops need to be connected at all times and all traffic needs to be tunneled through the Sonicwalls. So how would you approach this issue?

Thanks in advance for any ideas or advice!