Quantum Key Distribution(QKD) can be used in FortiGate IPsec configuration to manage the key between two endpoint tunnels via  Key Management Entity (KME).

• Step to configure Ipsec S2S with QKD.

FortiGate-A.

1. Create user peer and VPN QKD profile.
   
   

config user peer

    edit "qkdtest"

        set ca "CA_Cert"

    next

end

config vpn qkd

    edit "qkdtest"

        set server "10.100.0.1"    <-- Server IPv4, IPv6 or DNS address of the KME.

        set port 443  <-- Port to connect to on the KME.

        set id "qkd00001" <-- ID Quantum Key Distribution ID assigned by the KME.

        set peer "qkdtest" <-- Peer Authenticate Quantum Key Device's certificate with the peer/peergrp.

        set certificate "client"

    next

2. Create IPsec config.

    

   
   config vpn ipsec phase1-interface

       edit "TEST-A"

           set interface "port1"

           set ike-version 2

           set peertype any

           set net-device disable

           set childless-ike enable <- Requirement for qkd support.

           set proposal aes256-sha256

           set dpd disable

           set dhgrp 21

           set qkd  ?

           disable --> Disable the use of a Quantum Key Distribution (QKD) server.

           allow --> Allow, but do not require, use of a Quantum Key Distribution (QKD) server.

           require --> Require the use of a Quantum Key Distribution (QKD) server.

           set qkd-profile "qkdtest"

           set remote-gw 192.168.1.1

           set psksecret ENC  XXXX

       next

   end

    

   config vpn ipsec phase2-interface

       edit "TEST-A"

           set phase1name "TEST"

           set proposal aes256-sha256

           set auto-negotiate enable

           set keylifeseconds 3600

FortiGate-B.

1. Create user peer and VPN QKD profile.

config user peer

    edit "qkdtest"

        set ca "CA_Cert"

    next

end

config vpn qkd

    edit "qkdtest"

        set server "10.100.0.1"    <-- Server IPv4, IPv6 or DNS address of the KME.

        set port 443  <-- Port to connect to on the KME.

        set id "qkd00002" <-- Id Quantum Key Distribution ID assigned by the KME.

        set peer "qkdtest" <-- Peer Authenticate Quantum Key Device's certificate with the peer/peergrp.

        set certificate "client"

    next

2. Create IPsec config.

   
   config vpn ipsec phase1-interface

       edit "TEST-A"

           set interface "port1"

           set ike-version 2

           set peertype any

           set net-device disable

           set proposal aes256-sha256

           set dpd disable

           set dhgrp 21

           set qkd  ?

                    disable - Disable the use of a Quantum Key Distribution (QKD) server.

                    allow -  Allow, but do not require, the use of a Quantum Key Distribution (QKD) server.

                    require - Require the use of a Quantum Key Distribution (QKD) server.

           set qkd-profile "qkdtest"

           set remote-gw 192.168.1.2

           set psksecret ENC  XXXX

       next

   end

    

   config vpn ipsec phase2-interface

       edit "TEST-B"

           set phase1name "TEST"

           set proposal aes256-sha256

           set pfs disable

           set replay disable

           set auto-negotiate enable

           set keylifeseconds 3600

The below command can verify the status of QKD.

diag vpn ike qkd  qkdtest

diag debug application ike -1

diag de en

Note: QKD commands and support are hidden in v7.6.0 to fix a known issue, and it will be available in v7.6.1 again.