Fortinet black logo

Administration Guide

IPsec key retrieval with a QKD system using the ETSI standardized API

IPsec key retrieval with a QKD system using the ETSI standardized API

FortiGates support IPsec key retrieval with a quantum key distribution (QKD) system using the ETSI standardized API. This eliminates negotiation, simplifies the process, and enhances efficiency in IPsec key management.

config vpn qkd
    edit <name>
        set server <string>
        set port <integer>
        set id <string>
        set peer <string>
        set certificate <certificate_name>
    next
end

server <string>

Enter the IPv4, IPv6, or DNS address of the key management entity (KME).

port <integer>

Enter the port to connect to on the KME, 1 - 65535.

id <string>

Enter the quantum key distribution ID assigned by the KME.

peer <string>

Enter the peer or peer group to authenticate with the quantum key device's certificate.

certificate <certificate_name>

Enter the name of up to four certificates to offer to the KME.

Example

In this example, a quantum key distribution (QKD) system is deployed to perform central IPsec key management. The FortiGates installed as security gateways will terminate large amount of IPsec tunnels.

To configure IPsec key retrieval with a QKD system:
  1. Configure FGT-A:

    1. Configure the QKD profile:

      config vpn qkd
          edit "qkd_1"
              set server "172.16.200.83"
              set port 8989
              set id "FGT-A"
              set peer "qkd"
              set certificate "FGT_qkd1"
          next
      end
    2. Configure the IPsec phase 1 interface settings:

      config vpn ipsec phase1-interface
          edit "site1"
              set interface "wan1"
              set peertype any
              set net-device disable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set qkd allow
              set qkd-profile "qkd_1"
              set remote-gw 173.1.1.1
              set psksecret **********
          next
      end
    3. Configure the IPsec phase 2 interface settings:

      config vpn ipsec phase2-interface
          edit "site1"
              set phase1name "site1"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
  2. Configure FGT-D:

    1. Configure the QKD profile:

      config vpn qkd
          edit "qkd_1"
              set server "172.16.200.83"
              set port 8989
              set id "FGT-D"
              set peer "qkd"
              set certificate "FGT_qkd3"
          next
      end
    2. Configure the IPsec phase 1 interface settings:

      config vpn ipsec phase1-interface
          edit "site2"
              set interface "port25"
              set peertype any
              set net-device disable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set qkd require
              set qkd-profile "qkd_1"
              set remote-gw 11.101.1.1
              set psksecret **********
          next
      end
    3. Configure the IPsec phase 2 interface settings:

      config vpn ipsec phase2-interface
          edit "site2"
              set phase1name "site2"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
To verify the configuration:
  1. Generate traffic between PC1 and PC4.

  2. Run diagnostics on FGT-A:

    1. Verify the IPsec phase 1 interface status:

      # diagnose vpn ike gateway list
      
      vd: root/0
      name: site1
      version: 1
      interface: wan1 17
      addr: 11.101.1.1:500 -> 173.1.1.1:500
      tun_id: 172.16.200.4/::172.16.200.4
      remote_location: 0.0.0.0
      network-id: 0
      transport: UDP
      created: 3s ago
      peer-id: 173.1.1.1
      peer-id-auth: no
      IKE SA: created 1/1  established 1/1  time 0/0/0 ms
      IPsec SA: created 1/1  established 1/1  time 30/30/30 ms
      
        id/spi: 21 ad7d995677250c7e/053f958ea7be66c8
        direction: initiator
        status: established 3-3s ago = 0ms
        proposal: aes128-sha256
        key: 5b198e1a431c20fb-c08135cf0c007704
        QKD: yes
        lifetime/rekey: 86400/86096
        DPD sent/recv: 00000000/00000000
        peer-id: 173.1.1.1
    2. Verify the IPsec phase 2 tunnel status:

      # diagnose vpn tunnel list
      list all ipsec tunnel in vd 0
      ------------------------------------------------------
      name=site1 ver=1 serial=2 11.101.1.1:0->173.1.1.1:0 tun_id=172.16.200.4 tun_id6=::172.16.200.4 dst_mtu=1500 dpd-link=on weight=1
      bound_if=17 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
      
      proxyid_num=1 child_num=0 refcnt=4 ilast=12 olast=11 ad=/0
      stat: rxp=1 txp=2 rxb=84 txb=168
      dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      fec: egress=0 ingress=0
      proxyid=site1 proto=0 sa=1 ref=3 serial=2
        src: 0:0.0.0.0-255.255.255.255:0
        dst: 0:0.0.0.0-255.255.255.255:0
        SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42883/0B replaywin=2048
             seqno=3 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
        life: type=01 bytes=0/0 timeout=42897/43200
        dec: spi=b2af532f esp=aes key=16 c1d5d17e6bdecd5b145f672a5054cde1
             ah=sha1 key=20 084f1c0fee48994f59a125606f9c757838dc2421
        enc: spi=3d14392a esp=aes key=16 66277c8cf2bdbd2d12a9d829dde356ad
             ah=sha1 key=20 fdbaa42cca5c3a9bffb1cf0fc74ff29a643a2b9f
        dec:pkts/bytes=1/84, enc:pkts/bytes=2/304
        npu_flag=03 npu_rgwy=173.1.1.1 npu_lgwy=11.101.1.1 npu_selid=4 dec_npuid=2 enc_npuid=2

      The IPsec tunnel is up and traffic passes through.

    3. Verify the IKE debug messages:

      # diagnose debug application ike -1 
      ...
      ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:0
      ike V=root:0:site1:site1: using existing connection
      ike V=root:0:site1:site1: config found
      ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:500 negotiating
      ike 0:site1:20:site1:22: QKD initiator request
      ike 0:site1:20:site1:22: QKD initiator key-id '4e0592fe-9568-11ee-97b8-5fb93000b0c2'
      ...
      ike V=root:0:site1:20:site1:22: add IPsec SA: SPIs=b2af532d/3d143928
      ike 0:site1:20:site1:22: IPsec SA dec spi b2af532d key 16:958EE561ABD2B6F0F4C6E042202F451E auth 20:4D694E6951ADB425A2A1C3261140957C9469A4DC
      ike 0:site1:20:site1:22: IPsec SA enc spi 3d143928 key 16:6016E26398B70E55A17EF73611B30028 auth 20:357880E885F3ED23092233737B9FD0573DCB0D08
      ike V=root:0:site1:20:site1:22: added IPsec SA: SPIs=b2af532d/3d143928
      ike V=root:0:site1:20:site1:22: sending SNMP tunnel UP trap
    4. Verify the statistics for qkd_1:

      # diagnose vpn ike qkd qkd_1
      client.count.fd: now 0  max 1  total 3
      client.count.fp: now 0  max 1  total 3
      client.count.mmap: now 2  max 2  total 9
      client.event: 4
      client.retry: 0
      client.cmd.request.initiator: 4
      client.cmd.request.responder: 0
      client.cmd.reply.initiator: 4
      client.cmd.reply.responder: 0
      server.boot.count: 3
      server.boot.last.time: 4295388395
      server.boot.last.ago: 247
      server.stop.budget: 0
      server.stop.error: 0
      server.stop.auth.count: 0
      server.cmd.reading: 7
      server.cmd.read: 4
      server.cmd.request.initiator: 4
      server.cmd.request.responder: 0
      server.cmd.reply.initiator: 4
      server.cmd.reply.responder: 0
      server.auth.request.sending.count: 4
      server.auth.request.sending.last.time: 4295389413
      server.auth.request.sending.last.ago: 237
      server.auth.request.sent.count: 4
      server.auth.request.sent.last.time: 4295389413
      server.auth.request.sent.last.ago: 237
      server.auth.reply.reading.count: 4
      server.auth.reply.reading.last.time: 4295389413
      server.auth.reply.reading.last.ago: 237
      server.auth.reply.read.count: 4
      server.auth.reply.read.last.time: 4295389413
      server.auth.reply.read.last.ago: 237
      server.dns.addrs:
      server.curl.get.count: 4
      server.curl.get.last.time: 4295389413
      server.curl.get.last.ago: 237
      server.curl.json.parse: 4
      server.curl.json.parsed: 4

IPsec key retrieval with a QKD system using the ETSI standardized API

FortiGates support IPsec key retrieval with a quantum key distribution (QKD) system using the ETSI standardized API. This eliminates negotiation, simplifies the process, and enhances efficiency in IPsec key management.

config vpn qkd
    edit <name>
        set server <string>
        set port <integer>
        set id <string>
        set peer <string>
        set certificate <certificate_name>
    next
end

server <string>

Enter the IPv4, IPv6, or DNS address of the key management entity (KME).

port <integer>

Enter the port to connect to on the KME, 1 - 65535.

id <string>

Enter the quantum key distribution ID assigned by the KME.

peer <string>

Enter the peer or peer group to authenticate with the quantum key device's certificate.

certificate <certificate_name>

Enter the name of up to four certificates to offer to the KME.

Example

In this example, a quantum key distribution (QKD) system is deployed to perform central IPsec key management. The FortiGates installed as security gateways will terminate large amount of IPsec tunnels.

To configure IPsec key retrieval with a QKD system:
  1. Configure FGT-A:

    1. Configure the QKD profile:

      config vpn qkd
          edit "qkd_1"
              set server "172.16.200.83"
              set port 8989
              set id "FGT-A"
              set peer "qkd"
              set certificate "FGT_qkd1"
          next
      end
    2. Configure the IPsec phase 1 interface settings:

      config vpn ipsec phase1-interface
          edit "site1"
              set interface "wan1"
              set peertype any
              set net-device disable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set qkd allow
              set qkd-profile "qkd_1"
              set remote-gw 173.1.1.1
              set psksecret **********
          next
      end
    3. Configure the IPsec phase 2 interface settings:

      config vpn ipsec phase2-interface
          edit "site1"
              set phase1name "site1"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
  2. Configure FGT-D:

    1. Configure the QKD profile:

      config vpn qkd
          edit "qkd_1"
              set server "172.16.200.83"
              set port 8989
              set id "FGT-D"
              set peer "qkd"
              set certificate "FGT_qkd3"
          next
      end
    2. Configure the IPsec phase 1 interface settings:

      config vpn ipsec phase1-interface
          edit "site2"
              set interface "port25"
              set peertype any
              set net-device disable
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set qkd require
              set qkd-profile "qkd_1"
              set remote-gw 11.101.1.1
              set psksecret **********
          next
      end
    3. Configure the IPsec phase 2 interface settings:

      config vpn ipsec phase2-interface
          edit "site2"
              set phase1name "site2"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
To verify the configuration:
  1. Generate traffic between PC1 and PC4.

  2. Run diagnostics on FGT-A:

    1. Verify the IPsec phase 1 interface status:

      # diagnose vpn ike gateway list
      
      vd: root/0
      name: site1
      version: 1
      interface: wan1 17
      addr: 11.101.1.1:500 -> 173.1.1.1:500
      tun_id: 172.16.200.4/::172.16.200.4
      remote_location: 0.0.0.0
      network-id: 0
      transport: UDP
      created: 3s ago
      peer-id: 173.1.1.1
      peer-id-auth: no
      IKE SA: created 1/1  established 1/1  time 0/0/0 ms
      IPsec SA: created 1/1  established 1/1  time 30/30/30 ms
      
        id/spi: 21 ad7d995677250c7e/053f958ea7be66c8
        direction: initiator
        status: established 3-3s ago = 0ms
        proposal: aes128-sha256
        key: 5b198e1a431c20fb-c08135cf0c007704
        QKD: yes
        lifetime/rekey: 86400/86096
        DPD sent/recv: 00000000/00000000
        peer-id: 173.1.1.1
    2. Verify the IPsec phase 2 tunnel status:

      # diagnose vpn tunnel list
      list all ipsec tunnel in vd 0
      ------------------------------------------------------
      name=site1 ver=1 serial=2 11.101.1.1:0->173.1.1.1:0 tun_id=172.16.200.4 tun_id6=::172.16.200.4 dst_mtu=1500 dpd-link=on weight=1
      bound_if=17 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0
      
      proxyid_num=1 child_num=0 refcnt=4 ilast=12 olast=11 ad=/0
      stat: rxp=1 txp=2 rxb=84 txb=168
      dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
      natt: mode=none draft=0 interval=0 remote_port=0
      fec: egress=0 ingress=0
      proxyid=site1 proto=0 sa=1 ref=3 serial=2
        src: 0:0.0.0.0-255.255.255.255:0
        dst: 0:0.0.0.0-255.255.255.255:0
        SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42883/0B replaywin=2048
             seqno=3 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
        life: type=01 bytes=0/0 timeout=42897/43200
        dec: spi=b2af532f esp=aes key=16 c1d5d17e6bdecd5b145f672a5054cde1
             ah=sha1 key=20 084f1c0fee48994f59a125606f9c757838dc2421
        enc: spi=3d14392a esp=aes key=16 66277c8cf2bdbd2d12a9d829dde356ad
             ah=sha1 key=20 fdbaa42cca5c3a9bffb1cf0fc74ff29a643a2b9f
        dec:pkts/bytes=1/84, enc:pkts/bytes=2/304
        npu_flag=03 npu_rgwy=173.1.1.1 npu_lgwy=11.101.1.1 npu_selid=4 dec_npuid=2 enc_npuid=2

      The IPsec tunnel is up and traffic passes through.

    3. Verify the IKE debug messages:

      # diagnose debug application ike -1 
      ...
      ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:0
      ike V=root:0:site1:site1: using existing connection
      ike V=root:0:site1:site1: config found
      ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:500 negotiating
      ike 0:site1:20:site1:22: QKD initiator request
      ike 0:site1:20:site1:22: QKD initiator key-id '4e0592fe-9568-11ee-97b8-5fb93000b0c2'
      ...
      ike V=root:0:site1:20:site1:22: add IPsec SA: SPIs=b2af532d/3d143928
      ike 0:site1:20:site1:22: IPsec SA dec spi b2af532d key 16:958EE561ABD2B6F0F4C6E042202F451E auth 20:4D694E6951ADB425A2A1C3261140957C9469A4DC
      ike 0:site1:20:site1:22: IPsec SA enc spi 3d143928 key 16:6016E26398B70E55A17EF73611B30028 auth 20:357880E885F3ED23092233737B9FD0573DCB0D08
      ike V=root:0:site1:20:site1:22: added IPsec SA: SPIs=b2af532d/3d143928
      ike V=root:0:site1:20:site1:22: sending SNMP tunnel UP trap
    4. Verify the statistics for qkd_1:

      # diagnose vpn ike qkd qkd_1
      client.count.fd: now 0  max 1  total 3
      client.count.fp: now 0  max 1  total 3
      client.count.mmap: now 2  max 2  total 9
      client.event: 4
      client.retry: 0
      client.cmd.request.initiator: 4
      client.cmd.request.responder: 0
      client.cmd.reply.initiator: 4
      client.cmd.reply.responder: 0
      server.boot.count: 3
      server.boot.last.time: 4295388395
      server.boot.last.ago: 247
      server.stop.budget: 0
      server.stop.error: 0
      server.stop.auth.count: 0
      server.cmd.reading: 7
      server.cmd.read: 4
      server.cmd.request.initiator: 4
      server.cmd.request.responder: 0
      server.cmd.reply.initiator: 4
      server.cmd.reply.responder: 0
      server.auth.request.sending.count: 4
      server.auth.request.sending.last.time: 4295389413
      server.auth.request.sending.last.ago: 237
      server.auth.request.sent.count: 4
      server.auth.request.sent.last.time: 4295389413
      server.auth.request.sent.last.ago: 237
      server.auth.reply.reading.count: 4
      server.auth.reply.reading.last.time: 4295389413
      server.auth.reply.reading.last.ago: 237
      server.auth.reply.read.count: 4
      server.auth.reply.read.last.time: 4295389413
      server.auth.reply.read.last.ago: 237
      server.dns.addrs:
      server.curl.get.count: 4
      server.curl.get.last.time: 4295389413
      server.curl.get.last.ago: 237
      server.curl.json.parse: 4
      server.curl.json.parsed: 4