|
Quantum Key Distribution (QKD) can be used in FortiGate IPsec configuration to manage the key between two endpoint tunnels via Key Management Entity (KME).
Step to configure IPsec S2S with QKD.
FortiGate-A.
- Create a user peer and VPN QKD profile.
config user peer
edit "qkdtest"
set ca "CA_Cert"
next
end
config vpn qkd
edit "qkdtest"
set server "10.100.0.1" <-- Server IPv4, IPv6 or DNS address of the KME.
set port 443 <-- Port to connect to on the KME.
set id "qkd00001" <-- ID Quantum Key Distribution ID assigned by the KME.
set peer "qkdtest" <-- Peer Authenticate Quantum Key Device's certificate with the peer/peergrp.
set certificate "client"
next
-
Create an IPsec config.
config vpn ipsec phase1-interface
edit "TEST-A"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set childless-ike enable <- Requirement for qkd support.
set proposal aes256-sha256
set dpd disable
set dhgrp 21
set qkd ?
disable --> Disable the use of a Quantum Key Distribution (QKD) server.
allow --> Allow, but do not require, use of a Quantum Key Distribution (QKD) server.
require --> Require the use of a Quantum Key Distribution (QKD) server.
set qkd-profile "qkdtest"
set remote-gw 192.168.1.1
set psksecret ENC XXXX
next
end
config vpn ipsec phase2-interface
edit "TEST-A"
set phase1name "TEST"
set proposal aes256-sha256
set auto-negotiate enable
set keylifeseconds 3600
FortiGate-B.
- Create a user peer and VPN QKD profile.
config user peer
edit "qkdtest"
set ca "CA_Cert"
next
end
config vpn qkd
edit "qkdtest"
set server "10.100.0.1" <-- Server IPv4, IPv6 or DNS address of the KME.
set port 443 <-- Port to connect to on the KME.
set id "qkd00002" <-- Id Quantum Key Distribution ID assigned by the KME.
set peer "qkdtest" <-- Peer Authenticate Quantum Key Device's certificate with the peer/peergrp.
set certificate "client"
next
-
Create an IPsec config.
config vpn ipsec phase1-interface
edit "TEST-A"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal aes256-sha256
set dpd disable
set dhgrp 21
set qkd ?
disable - Disable the use of a Quantum Key Distribution (QKD) server.
allow - Allow, but do not require, the use of a Quantum Key Distribution (QKD) server.
require - Require the use of a Quantum Key Distribution (QKD) server.
set qkd-profile "qkdtest"
set remote-gw 192.168.1.2
set psksecret ENC XXXX
next
end
config vpn ipsec phase2-interface
edit "TEST-B"
set phase1name "TEST"
set proposal aes256-sha256
set pfs disable
set replay disable
set auto-negotiate enable
set keylifeseconds 3600
The command below can verify the status of QKD.
diagnose vpn ike qkd qkdtest
diagnose debug application ike -1
diagnose de en
On FortiOS versions 7.6.1, 7.6.2, and 7.6.3, certain Quantum Key Distribution (QKD) servers may trigger a 'QKD error 5' message in the IKE debug logs.
QKD Error 5 indicates that the FortiOS library used to communicate with the QKD server encountered an error while attempting to read the response to the QKD request sent to the server.
In this case, a possible workaround would be to increase the TLS handshake timeout on the server side to more than 10 seconds. If adjusting the server-side timeout is not possible, an upgrade to FortiOS v7.6.4 is recommended.
This behavior has been addressed in FortiOS v7.6.4 and is documented in the release notes under Engineering Case ID 1145391.
Resolved issues
Notes:
- QKD commands and support are hidden in v7.6.0 to fix a known issue, and it will be available in v7.6.1 again.
- QKD is not compatible with a Dynamic IPsec tunnel.
|
