Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.2 Administration Guide
7.4.2
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

IPsec key retrieval with a QKD system using the ETSI standardized API NEW

IPsec key retrieval with a QKD system using the ETSI standardized API NEW

FortiGates support IPsec key retrieval with a quantum key distribution (QKD) system using the ETSI standardized API. This eliminates negotiation, simplifies the process, and enhances efficiency in IPsec key management.

config vpn qkd
    edit <name>
        set server <string>
        set port <integer>
        set id <string>
        set peer <string>
        set certificate <certificate_name>
    next
end

server <string>

Enter the IPv4, IPv6, or DNS address of the key management entity (KME).

port <integer>

Enter the port to connect to on the KME, 1 - 65535.

id <string>

Enter the quantum key distribution ID assigned by the KME.

peer <string>

Enter the peer or peer group to authenticate with the quantum key device's certificate.

certificate <certificate_name>

Enter the name of up to four certificates to offer to the KME.

Example

In this example, a quantum key distribution (QKD) system is deployed to perform central IPsec key management. The FortiGates installed as security gateways will terminate large amount of IPsec tunnels.

To configure IPsec key retrieval with a QKD system:

  1. Configure FGT-A:

    1. Configure the QKD profile:

      config vpn qkd
    edit "qkd_1"
        set server "172.16.200.83"
        set port 8989
        set id "FGT-A"
        set peer "qkd"
        set certificate "FGT_qkd1"
    next
end

    2. Configure the IPsec phase 1 interface settings:

      config vpn ipsec phase1-interface
    edit "site1"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set qkd allow
        set qkd-profile "qkd_1"
        set remote-gw 173.1.1.1
        set psksecret **********
    next
end

    3. Configure the IPsec phase 2 interface settings:

      config vpn ipsec phase2-interface
    edit "site1"
        set phase1name "site1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

  2. Configure FGT-D:

    1. Configure the QKD profile:

      config vpn qkd
    edit "qkd_1"
        set server "172.16.200.83"
        set port 8989
        set id "FGT-D"
        set peer "qkd"
        set certificate "FGT_qkd3"
    next
end

    2. Configure the IPsec phase 1 interface settings:

      config vpn ipsec phase1-interface
    edit "site2"
        set interface "port25"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set qkd require
        set qkd-profile "qkd_1"
        set remote-gw 11.101.1.1
        set psksecret **********
    next
end

    3. Configure the IPsec phase 2 interface settings:

      config vpn ipsec phase2-interface
    edit "site2"
        set phase1name "site2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end
To verify the configuration:

  1. Generate traffic between PC1 and PC4.

  2. Run diagnostics on FGT-A:

    1. Verify the IPsec phase 1 interface status:

      # diagnose vpn ike gateway list

vd: root/0
name: site1
version: 1
interface: wan1 17
addr: 11.101.1.1:500 -> 173.1.1.1:500
tun_id: 172.16.200.4/::172.16.200.4
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 3s ago
peer-id: 173.1.1.1
peer-id-auth: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 30/30/30 ms

  id/spi: 21 ad7d995677250c7e/053f958ea7be66c8
  direction: initiator
  status: established 3-3s ago = 0ms
  proposal: aes128-sha256
  key: 5b198e1a431c20fb-c08135cf0c007704
  QKD: yes
  lifetime/rekey: 86400/86096
  DPD sent/recv: 00000000/00000000
  peer-id: 173.1.1.1

    2. Verify the IPsec phase 2 tunnel status:

      # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=site1 ver=1 serial=2 11.101.1.1:0->173.1.1.1:0 tun_id=172.16.200.4 tun_id6=::172.16.200.4 dst_mtu=1500 dpd-link=on weight=1
bound_if=17 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=12 olast=11 ad=/0
stat: rxp=1 txp=2 rxb=84 txb=168
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=site1 proto=0 sa=1 ref=3 serial=2
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:0.0.0.0-255.255.255.255:0
  SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42883/0B replaywin=2048
       seqno=3 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42897/43200
  dec: spi=b2af532f esp=aes key=16 c1d5d17e6bdecd5b145f672a5054cde1
       ah=sha1 key=20 084f1c0fee48994f59a125606f9c757838dc2421
  enc: spi=3d14392a esp=aes key=16 66277c8cf2bdbd2d12a9d829dde356ad
       ah=sha1 key=20 fdbaa42cca5c3a9bffb1cf0fc74ff29a643a2b9f
  dec:pkts/bytes=1/84, enc:pkts/bytes=2/304
  npu_flag=03 npu_rgwy=173.1.1.1 npu_lgwy=11.101.1.1 npu_selid=4 dec_npuid=2 enc_npuid=2

      The IPsec tunnel is up and traffic passes through.

    3. Verify the IKE debug messages:

      # diagnose debug application ike -1 
...
ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:0
ike V=root:0:site1:site1: using existing connection
ike V=root:0:site1:site1: config found
ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:500 negotiating
ike 0:site1:20:site1:22: QKD initiator request
ike 0:site1:20:site1:22: QKD initiator key-id '4e0592fe-9568-11ee-97b8-5fb93000b0c2'
...
ike V=root:0:site1:20:site1:22: add IPsec SA: SPIs=b2af532d/3d143928
ike 0:site1:20:site1:22: IPsec SA dec spi b2af532d key 16:958EE561ABD2B6F0F4C6E042202F451E auth 20:4D694E6951ADB425A2A1C3261140957C9469A4DC
ike 0:site1:20:site1:22: IPsec SA enc spi 3d143928 key 16:6016E26398B70E55A17EF73611B30028 auth 20:357880E885F3ED23092233737B9FD0573DCB0D08
ike V=root:0:site1:20:site1:22: added IPsec SA: SPIs=b2af532d/3d143928
ike V=root:0:site1:20:site1:22: sending SNMP tunnel UP trap

    4. Verify the statistics for qkd_1:

      # diagnose vpn ike qkd qkd_1
client.count.fd: now 0  max 1  total 3
client.count.fp: now 0  max 1  total 3
client.count.mmap: now 2  max 2  total 9
client.event: 4
client.retry: 0
client.cmd.request.initiator: 4
client.cmd.request.responder: 0
client.cmd.reply.initiator: 4
client.cmd.reply.responder: 0
server.boot.count: 3
server.boot.last.time: 4295388395
server.boot.last.ago: 247
server.stop.budget: 0
server.stop.error: 0
server.stop.auth.count: 0
server.cmd.reading: 7
server.cmd.read: 4
server.cmd.request.initiator: 4
server.cmd.request.responder: 0
server.cmd.reply.initiator: 4
server.cmd.reply.responder: 0
server.auth.request.sending.count: 4
server.auth.request.sending.last.time: 4295389413
server.auth.request.sending.last.ago: 237
server.auth.request.sent.count: 4
server.auth.request.sent.last.time: 4295389413
server.auth.request.sent.last.ago: 237
server.auth.reply.reading.count: 4
server.auth.reply.reading.last.time: 4295389413
server.auth.reply.reading.last.ago: 237
server.auth.reply.read.count: 4
server.auth.reply.read.last.time: 4295389413
server.auth.reply.read.last.ago: 237
server.dns.addrs:
server.curl.get.count: 4
server.curl.get.last.time: 4295389413
server.curl.get.last.ago: 237
server.curl.json.parse: 4
server.curl.json.parsed: 4
Previous
Next

IPsec key retrieval with a QKD system using the ETSI standardized API NEW

FortiGates support IPsec key retrieval with a quantum key distribution (QKD) system using the ETSI standardized API. This eliminates negotiation, simplifies the process, and enhances efficiency in IPsec key management.

config vpn qkd
    edit <name>
        set server <string>
        set port <integer>
        set id <string>
        set peer <string>
        set certificate <certificate_name>
    next
end

server <string>

Enter the IPv4, IPv6, or DNS address of the key management entity (KME).

port <integer>

Enter the port to connect to on the KME, 1 - 65535.

id <string>

Enter the quantum key distribution ID assigned by the KME.

peer <string>

Enter the peer or peer group to authenticate with the quantum key device's certificate.

certificate <certificate_name>

Enter the name of up to four certificates to offer to the KME.

Example

In this example, a quantum key distribution (QKD) system is deployed to perform central IPsec key management. The FortiGates installed as security gateways will terminate large amount of IPsec tunnels.

To configure IPsec key retrieval with a QKD system:

  1. Configure FGT-A:

    1. Configure the QKD profile:

      config vpn qkd
    edit "qkd_1"
        set server "172.16.200.83"
        set port 8989
        set id "FGT-A"
        set peer "qkd"
        set certificate "FGT_qkd1"
    next
end

    2. Configure the IPsec phase 1 interface settings:

      config vpn ipsec phase1-interface
    edit "site1"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set qkd allow
        set qkd-profile "qkd_1"
        set remote-gw 173.1.1.1
        set psksecret **********
    next
end

    3. Configure the IPsec phase 2 interface settings:

      config vpn ipsec phase2-interface
    edit "site1"
        set phase1name "site1"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end

  2. Configure FGT-D:

    1. Configure the QKD profile:

      config vpn qkd
    edit "qkd_1"
        set server "172.16.200.83"
        set port 8989
        set id "FGT-D"
        set peer "qkd"
        set certificate "FGT_qkd3"
    next
end

    2. Configure the IPsec phase 1 interface settings:

      config vpn ipsec phase1-interface
    edit "site2"
        set interface "port25"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set qkd require
        set qkd-profile "qkd_1"
        set remote-gw 11.101.1.1
        set psksecret **********
    next
end

    3. Configure the IPsec phase 2 interface settings:

      config vpn ipsec phase2-interface
    edit "site2"
        set phase1name "site2"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end
To verify the configuration:

  1. Generate traffic between PC1 and PC4.

  2. Run diagnostics on FGT-A:

    1. Verify the IPsec phase 1 interface status:

      # diagnose vpn ike gateway list

vd: root/0
name: site1
version: 1
interface: wan1 17
addr: 11.101.1.1:500 -> 173.1.1.1:500
tun_id: 172.16.200.4/::172.16.200.4
remote_location: 0.0.0.0
network-id: 0
transport: UDP
created: 3s ago
peer-id: 173.1.1.1
peer-id-auth: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 30/30/30 ms

  id/spi: 21 ad7d995677250c7e/053f958ea7be66c8
  direction: initiator
  status: established 3-3s ago = 0ms
  proposal: aes128-sha256
  key: 5b198e1a431c20fb-c08135cf0c007704
  QKD: yes
  lifetime/rekey: 86400/86096
  DPD sent/recv: 00000000/00000000
  peer-id: 173.1.1.1

    2. Verify the IPsec phase 2 tunnel status:

      # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=site1 ver=1 serial=2 11.101.1.1:0->173.1.1.1:0 tun_id=172.16.200.4 tun_id6=::172.16.200.4 dst_mtu=1500 dpd-link=on weight=1
bound_if=17 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=12 olast=11 ad=/0
stat: rxp=1 txp=2 rxb=84 txb=168
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=site1 proto=0 sa=1 ref=3 serial=2
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:0.0.0.0-255.255.255.255:0
  SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42883/0B replaywin=2048
       seqno=3 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42897/43200
  dec: spi=b2af532f esp=aes key=16 c1d5d17e6bdecd5b145f672a5054cde1
       ah=sha1 key=20 084f1c0fee48994f59a125606f9c757838dc2421
  enc: spi=3d14392a esp=aes key=16 66277c8cf2bdbd2d12a9d829dde356ad
       ah=sha1 key=20 fdbaa42cca5c3a9bffb1cf0fc74ff29a643a2b9f
  dec:pkts/bytes=1/84, enc:pkts/bytes=2/304
  npu_flag=03 npu_rgwy=173.1.1.1 npu_lgwy=11.101.1.1 npu_selid=4 dec_npuid=2 enc_npuid=2

      The IPsec tunnel is up and traffic passes through.

    3. Verify the IKE debug messages:

      # diagnose debug application ike -1 
...
ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:0
ike V=root:0:site1:site1: using existing connection
ike V=root:0:site1:site1: config found
ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:500 negotiating
ike 0:site1:20:site1:22: QKD initiator request
ike 0:site1:20:site1:22: QKD initiator key-id '4e0592fe-9568-11ee-97b8-5fb93000b0c2'
...
ike V=root:0:site1:20:site1:22: add IPsec SA: SPIs=b2af532d/3d143928
ike 0:site1:20:site1:22: IPsec SA dec spi b2af532d key 16:958EE561ABD2B6F0F4C6E042202F451E auth 20:4D694E6951ADB425A2A1C3261140957C9469A4DC
ike 0:site1:20:site1:22: IPsec SA enc spi 3d143928 key 16:6016E26398B70E55A17EF73611B30028 auth 20:357880E885F3ED23092233737B9FD0573DCB0D08
ike V=root:0:site1:20:site1:22: added IPsec SA: SPIs=b2af532d/3d143928
ike V=root:0:site1:20:site1:22: sending SNMP tunnel UP trap

    4. Verify the statistics for qkd_1:

      # diagnose vpn ike qkd qkd_1
client.count.fd: now 0  max 1  total 3
client.count.fp: now 0  max 1  total 3
client.count.mmap: now 2  max 2  total 9
client.event: 4
client.retry: 0
client.cmd.request.initiator: 4
client.cmd.request.responder: 0
client.cmd.reply.initiator: 4
client.cmd.reply.responder: 0
server.boot.count: 3
server.boot.last.time: 4295388395
server.boot.last.ago: 247
server.stop.budget: 0
server.stop.error: 0
server.stop.auth.count: 0
server.cmd.reading: 7
server.cmd.read: 4
server.cmd.request.initiator: 4
server.cmd.request.responder: 0
server.cmd.reply.initiator: 4
server.cmd.reply.responder: 0
server.auth.request.sending.count: 4
server.auth.request.sending.last.time: 4295389413
server.auth.request.sending.last.ago: 237
server.auth.request.sent.count: 4
server.auth.request.sent.last.time: 4295389413
server.auth.request.sent.last.ago: 237
server.auth.reply.reading.count: 4
server.auth.reply.reading.last.time: 4295389413
server.auth.reply.reading.last.ago: 237
server.auth.reply.read.count: 4
server.auth.reply.read.last.time: 4295389413
server.auth.reply.read.last.ago: 237
server.dns.addrs:
server.curl.get.count: 4
server.curl.get.last.time: 4295389413
server.curl.get.last.ago: 237
server.curl.json.parse: 4
server.curl.json.parsed: 4
Previous
Next