Skip to Content

How to configure QKD (Quantum Key Distribution) for site to site IPsec key management

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes the implementation of QKD for site-to-site IPSec VPN.

Scope

FortiOS 7.4.2.

Solution

Quantum Key Distribution(QKD) can be used in FortiGate IPsec configuration to manage the key between two endpoint tunnels via Key Management Entity (KME).

Step to configure Ipsec S2S with QKD.

FortiGate-A.

Step 1: Create user peer and VPN QKD profile.

config user peer
edit "qkdtest"
set ca "CA_Cert"
next
end
config vpn qkdtest
edit "qkdtest"
set server "10.100.0.1" <-- Server IPv4, IPv6 or DNS address of the KME.
set port 443 <-- Port to connect to on the KME.
set id "qkd00001" <-- ID Quantum Key Distribution ID assigned by the KME.
set peer "qkdtest" <-- Peer Authenticate Quantum Key Device's certificate with the peer/peergrp.
set certificate "client"
next

Step 2: Create IPsec config.

config vpn ipsec phase1-interface
edit "TEST-A"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd disable
set dhgrp 21
set qkd ?
disable --> Disable the use of a Quantum Key Distribution (QKD) server.
allow --> Allow, but do not require, use of a Quantum Key Distribution (QKD) server.
require --> Require the use of a Quantum Key Distribution (QKD) server.
set qkd-profile "qkdtest"
set remote-gw 192.168.1.1
set psksecret ENC XXXX
next
end
config vpn ipsec phase2-interface
edit "TEST-A"
set phase1name "TEST"
set proposal aes256-sha256
set auto-negotiate enable
set keylifeseconds 3600

FortiGate-B.

Step 1: Create user peer and VPN QKD profile.

config user peer
edit "qkdtest"
set ca "CA_Cert"
next
end
config vpn qkdtest
edit "qkdtest"
set server "10.100.0.1" <-- Server IPv4, IPv6 or DNS address of the KME.
set port 443 <-- Port to connect to on the KME.
set id "qkd00002" <-- Id Quantum Key Distribution ID assigned by the KME.
set peer "qkdtest" <-- Peer Authenticate Quantum Key Device's certificate with the peer/peergrp.
set certificate "client"
next

Step 2: Create IPsec config.

config vpn ipsec phase1-interface
edit "TEST-A"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd disable
set dhgrp 21
set qkd ?
disable - Disable use of a Quantum Key Distribution (QKD) server.
allow - Allow, but do not require, use of a Quantum Key Distribution (QKD) server.
require - Require use of a Quantum Key Distribution (QKD) server.
set qkd-profile "qkdtest"
set remote-gw 192.168.1.2
set psksecret ENC XXXX
next
end
config vpn ipsec phase2-interface
edit "TEST-B"
set phase1name "TEST"
set proposal aes256-sha256
set pfs disable
set replay disable
set auto-negotiate enable
set keylifeseconds 3600

The below command can verify the status of QKD.

diag vpn ike qkd testqkd
diag debug application ike -