FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msolanki
Staff
Staff
Article Id 324298
Description

This article describes the implementation of QKD for site-to-site IPSec VPN.

Scope FortiOS 7.4.2.
Solution

Quantum Key Distribution(QKD) can be used in FortiGate IPsec configuration to manage the key between two endpoint tunnels via  Key Management Entity (KME).

 

  • Step to configure Ipsec S2S with QKD.

 

FortiGate-A.

  1. Create user peer and VPN QKD profile.

config user peer

    edit "qkdtest"

        set ca "CA_Cert"

    next

end

 

config vpn qkd

    edit "qkdtest"

        set server "10.100.0.1"    <-- Server IPv4, IPv6 or DNS address of the KME.

        set port 443  <-- Port to connect to on the KME.

        set id "qkd00001" <-- ID Quantum Key Distribution ID assigned by the KME.

        set peer "qkdtest" <-- Peer Authenticate Quantum Key Device's certificate with the peer/peergrp.

        set certificate "client"

    next

 

  1. Create IPsec config.

     


    config vpn ipsec phase1-interface

        edit "TEST-A"

            set interface "port1"

            set ike-version 2

            set peertype any

            set net-device disable

            set childless-ike enable <- Requirement for qkd support.

            set proposal aes256-sha256

            set dpd disable

            set dhgrp 21

            set qkd  ?

            disable --> Disable the use of a Quantum Key Distribution (QKD) server.

            allow --> Allow, but do not require, use of a Quantum Key Distribution (QKD) server.

            require --> Require the use of a Quantum Key Distribution (QKD) server.

            set qkd-profile "qkdtest"

            set remote-gw 192.168.1.1

            set psksecret ENC  XXXX

        next

    end

     

    config vpn ipsec phase2-interface

        edit "TEST-A"

            set phase1name "TEST"

            set proposal aes256-sha256

            set auto-negotiate enable

            set keylifeseconds 3600

FortiGate-B.

 

  1. Create user peer and VPN QKD profile.

config user peer

    edit "qkdtest"

        set ca "CA_Cert"

    next

end

 

config vpn qkd

    edit "qkdtest"

        set server "10.100.0.1"    <-- Server IPv4, IPv6 or DNS address of the KME.

        set port 443  <-- Port to connect to on the KME.

        set id "qkd00002" <-- Id Quantum Key Distribution ID assigned by the KME.

        set peer "qkdtest" <-- Peer Authenticate Quantum Key Device's certificate with the peer/peergrp.

        set certificate "client"

    next

 

  1. Create IPsec config.


    config vpn ipsec phase1-interface

        edit "TEST-A"

            set interface "port1"

            set ike-version 2

            set peertype any

            set net-device disable

            set proposal aes256-sha256

            set dpd disable

            set dhgrp 21

            set qkd  ?

                     disable - Disable the use of a Quantum Key Distribution (QKD) server.

                     allow -  Allow, but do not require, the use of a Quantum Key Distribution (QKD) server.

                     require - Require the use of a Quantum Key Distribution (QKD) server.

            set qkd-profile "qkdtest"

            set remote-gw 192.168.1.2

            set psksecret ENC  XXXX

        next

    end

     

    config vpn ipsec phase2-interface

        edit "TEST-B"

            set phase1name "TEST"

            set proposal aes256-sha256

            set pfs disable

            set replay disable

            set auto-negotiate enable

            set keylifeseconds 3600

 

The below command can verify the status of QKD.

 

diag vpn ike qkd  qkdtest

diag debug application ike -1

diag de en

 

Note: QKD commands and support are hidden in v7.6.0 to fix a known issue, and it will be available in v7.6.1 again.