--- src/ipsec/_ipsec.in
+++ src/ipsec/_ipsec.in
@@ -44,6 +44,26 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR
 
 IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
 
+fipscheck()
+{
+	# when fips operation mode is not enabled, just report OK
+	read 2>/dev/null fips_enabled < /proc/sys/crypto/fips_enabled
+	test "X$fips_enabled" = "X1"    || return 0
+
+	# complain when _fipscheck is missed
+	test -x "$IPSEC_DIR/_fipscheck" || {
+		echo "ipsec: please install strongswan-hmac package required in fips mode" >&2
+		return 4
+	}
+
+	# now execute it
+	$IPSEC_DIR/_fipscheck || {
+		rc=$?
+		echo "ipsec: strongSwan fips file integrity check failed" >&2
+		return $rc
+	}
+}
+
 case "$1" in
 '')
 	echo "$IPSEC_SCRIPT command [arguments]"
@@ -155,6 +175,7 @@ rereadall|purgeocsp|listcounters|resetcounters)
 	shift
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE "$op" "$@"
 		rc="$?"
 	fi
@@ -164,6 +185,7 @@ purgeike|purgecrls|purgecerts)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE "$1"
 		rc="$?"
 	fi
@@ -197,6 +219,7 @@ route|unroute)
 	fi
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE "$op" "$1"
 		rc="$?"
 	fi
@@ -206,6 +229,7 @@ secrets)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE rereadsecrets
 		rc="$?"
 	fi
@@ -213,6 +237,7 @@ secrets)
 	;;
 start)
 	shift
+	fipscheck || exit $?
 	if [ -d /var/lock/subsys ]; then
 		touch /var/lock/subsys/ipsec
 	fi
@@ -286,6 +311,7 @@ up)
 	rc=7
 	if [ -e $IPSEC_CHARON_PID ]
 	then
+		fipscheck || exit $?
 		$IPSEC_STROKE up "$1"
 		rc="$?"
 	fi
@@ -325,6 +351,11 @@ esac
 cmd="$1"
 shift
 
+case $cmd in
+_fipscheck|_copyright|pki) ;;
+*) fipscheck || exit $?	;;
+esac
+
 path="$IPSEC_DIR/$cmd"
 
 if [ ! -x "$path" ]