diff --git a/strongswan-fips-disablegcrypt.patch b/strongswan-fips-disablegcrypt.patch
new file mode 100644
index 0000000..516aa3d
--- /dev/null
+++ b/strongswan-fips-disablegcrypt.patch
@@ -0,0 +1,15 @@
+References: fate#316931
+
+Index: strongswan-5.1.3/conf/plugins/gcrypt.conf
+===================================================================
+--- strongswan-5.1.3.orig/conf/plugins/gcrypt.conf
++++ strongswan-5.1.3/conf/plugins/gcrypt.conf
+@@ -2,7 +2,7 @@ gcrypt {
+ 
+     # Whether to load the plugin. Can also be an integer to increase the
+     # priority of this plugin.
+-    load = yes
++    load = no
+ 
+     # Use faster random numbers in gcrypt; for testing only, produces weak keys!
+     # quick_random = no
diff --git a/strongswan.changes b/strongswan.changes
index 0e04f4e..f6d144b 100644
--- a/strongswan.changes
+++ b/strongswan.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Jul  3 13:39:45 UTC 2014 - meissner@suse.com
+
+- disable gcrypt plugin by default, so it will only use openssl
+  fate#316931 [+strongswan-fips-disablegcrypt.patch]
+- enable fips mode 2
+
 -------------------------------------------------------------------
 Fri Jun 20 17:38:07 UTC 2014 - crrodriguez@opensuse.org
 
diff --git a/strongswan.spec b/strongswan.spec
index 8a0d5ad..cc7e7e1 100644
--- a/strongswan.spec
+++ b/strongswan.spec
@@ -63,6 +63,7 @@ Source4:        README.SUSE
 Source5:        %{name}.keyring
 Patch1:         %{name}_modprobe_syslog.patch
 Patch2:         %{name}_ipsec_service.patch
+Patch3:         %{name}-fips-disablegcrypt.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  bison
 BuildRequires:  curl-devel
@@ -243,6 +244,7 @@ and the load testing plugin for IKEv2 daemon.
 %setup -q -n %{name}-%{upstream_version}
 %patch1 -p0
 %patch2 -p0
+%patch3 -p1
 sed -e 's|@libexecdir@|%_libexecdir|g'    \
      < $RPM_SOURCE_DIR/strongswan.init.in \
      > strongswan.init
@@ -257,6 +259,7 @@ export RPM_OPT_FLAGS CFLAGS
 	--enable-integrity-test \
 	--with-capabilities=libcap \
 	--with-plugindir=%{strongswan_plugins} \
+	--with-fips=2 \
 	--with-resolv-conf=%{_rundir}/%{name}/resolv.conf \
 	--with-piddir=%{_rundir}/%{name} \
 	--enable-pkcs11 \