Technical Tip: Unable to configure enhancing security with Post-Quantum Cryptography (PQC Crystal-Kyber) for IPsec key exchange

duenlim · ‎03-03-2025

Description

This article describes how to enable the option for PQC Crystal-Kyber in IPsec tunnel.

Scope

FortiGate v7.6.1.

Solution

Follow the steps to configure PQC Crystal-Kyber from: Enhancing security with Post-Quantum Cryptography for IPsec key exchange 7.6.1. But, it is not possible to find the PQC Crystal-Kyber option when configuring under IPsec Phase1:

config vpn ipsec phase1-interface

(phase1-interface) # edit TEST

(TEST) # set addke1
command parse error before 'addke1'

(TEST) # set addke2

command parse error before 'addke2'
Command fail. Return code -61

It has to enable IKE version 2 under IPsec Phase 1 to configure PQC Crystal-Kyber. Please take note that IKE v1 does not support PQC Crystal-Kyber.

config vpn ipsec phase1-interface
(phase1-interface) # edit TEST
# set ike-version 2
Lotus-kvm56 (TEST) # end

# config vpn ipsec phase1-interface
Lotus-kvm56 (phase1-interface) # edit TEST

Lotus-kvm56 (TEST) # set addke1
0 NONE.
35 ML-KEM-512.
36 ML-KEM-768.
37 ML-KEM-1024.
1080 KYBER512.
1081 KYBER768.
1082 KYBER1024.
1083 FRODO L1.
1084 FRODO L3.
1085 FRODO L5.
1089 BIKE L1.
1090 BIKE L3.
1091 BIKE L5.
1092 HQC128.
1093 HQC192.
1094 HQC256.

Technical Tip: Unable to configure enhancing security with Post-Quantum Cryptography (PQC Crystal-Kyber) for IPsec key exchange

You are leaving our website