IPsec key retrieval with a QKD system using the ETSI standardized API NEW
FortiGates support IPsec key retrieval with a quantum key distribution (QKD) system using the ETSI standardized API. This eliminates negotiation, simplifies the process, and enhances efficiency in IPsec key management.
config vpn qkd edit <name> set server <string> set port <integer> set id <string> set peer <string> set certificate <certificate_name> next end
server <string> |
Enter the IPv4, IPv6, or DNS address of the key management entity (KME). |
port <integer> |
Enter the port to connect to on the KME, 1 - 65535. |
id <string> |
Enter the quantum key distribution ID assigned by the KME. |
peer <string> |
Enter the peer or peer group to authenticate with the quantum key device's certificate. |
certificate <certificate_name> |
Enter the name of up to four certificates to offer to the KME. |
Example
In this example, a quantum key distribution (QKD) system is deployed to perform central IPsec key management. The FortiGates installed as security gateways will terminate large amount of IPsec tunnels.
To configure IPsec key retrieval with a QKD system:
-
Configure FGT-A:
-
Configure the QKD profile:
config vpn qkd edit "qkd_1" set server "172.16.200.83" set port 8989 set id "FGT-A" set peer "qkd" set certificate "FGT_qkd1" next end
-
Configure the IPsec phase 1 interface settings:
config vpn ipsec phase1-interface edit "site1" set interface "wan1" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set qkd allow set qkd-profile "qkd_1" set remote-gw 173.1.1.1 set psksecret ********** next end
-
Configure the IPsec phase 2 interface settings:
config vpn ipsec phase2-interface edit "site1" set phase1name "site1" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
-
Configure FGT-D:
-
Configure the QKD profile:
config vpn qkd edit "qkd_1" set server "172.16.200.83" set port 8989 set id "FGT-D" set peer "qkd" set certificate "FGT_qkd3" next end
-
Configure the IPsec phase 1 interface settings:
config vpn ipsec phase1-interface edit "site2" set interface "port25" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set qkd require set qkd-profile "qkd_1" set remote-gw 11.101.1.1 set psksecret ********** next end
-
Configure the IPsec phase 2 interface settings:
config vpn ipsec phase2-interface edit "site2" set phase1name "site2" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 next end
-
To verify the configuration:
-
Generate traffic between PC1 and PC4.
-
Run diagnostics on FGT-A:
-
Verify the IPsec phase 1 interface status:
# diagnose vpn ike gateway list vd: root/0 name: site1 version: 1 interface: wan1 17 addr: 11.101.1.1:500 -> 173.1.1.1:500 tun_id: 172.16.200.4/::172.16.200.4 remote_location: 0.0.0.0 network-id: 0 transport: UDP created: 3s ago peer-id: 173.1.1.1 peer-id-auth: no IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 30/30/30 ms id/spi: 21 ad7d995677250c7e/053f958ea7be66c8 direction: initiator status: established 3-3s ago = 0ms proposal: aes128-sha256 key: 5b198e1a431c20fb-c08135cf0c007704 QKD: yes lifetime/rekey: 86400/86096 DPD sent/recv: 00000000/00000000 peer-id: 173.1.1.1
-
Verify the IPsec phase 2 tunnel status:
# diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=site1 ver=1 serial=2 11.101.1.1:0->173.1.1.1:0 tun_id=172.16.200.4 tun_id6=::172.16.200.4 dst_mtu=1500 dpd-link=on weight=1 bound_if=17 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0 proxyid_num=1 child_num=0 refcnt=4 ilast=12 olast=11 ad=/0 stat: rxp=1 txp=2 rxb=84 txb=168 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 fec: egress=0 ingress=0 proxyid=site1 proto=0 sa=1 ref=3 serial=2 src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0 SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42883/0B replaywin=2048 seqno=3 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1 life: type=01 bytes=0/0 timeout=42897/43200 dec: spi=b2af532f esp=aes key=16 c1d5d17e6bdecd5b145f672a5054cde1 ah=sha1 key=20 084f1c0fee48994f59a125606f9c757838dc2421 enc: spi=3d14392a esp=aes key=16 66277c8cf2bdbd2d12a9d829dde356ad ah=sha1 key=20 fdbaa42cca5c3a9bffb1cf0fc74ff29a643a2b9f dec:pkts/bytes=1/84, enc:pkts/bytes=2/304 npu_flag=03 npu_rgwy=173.1.1.1 npu_lgwy=11.101.1.1 npu_selid=4 dec_npuid=2 enc_npuid=2
The IPsec tunnel is up and traffic passes through.
-
Verify the IKE debug messages:
# diagnose debug application ike -1 ... ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:0 ike V=root:0:site1:site1: using existing connection ike V=root:0:site1:site1: config found ike V=root:0:site1:site1: IPsec SA connect 17 11.101.1.1->173.1.1.1:500 negotiating ike 0:site1:20:site1:22: QKD initiator request ike 0:site1:20:site1:22: QKD initiator key-id '4e0592fe-9568-11ee-97b8-5fb93000b0c2' ... ike V=root:0:site1:20:site1:22: add IPsec SA: SPIs=b2af532d/3d143928 ike 0:site1:20:site1:22: IPsec SA dec spi b2af532d key 16:958EE561ABD2B6F0F4C6E042202F451E auth 20:4D694E6951ADB425A2A1C3261140957C9469A4DC ike 0:site1:20:site1:22: IPsec SA enc spi 3d143928 key 16:6016E26398B70E55A17EF73611B30028 auth 20:357880E885F3ED23092233737B9FD0573DCB0D08 ike V=root:0:site1:20:site1:22: added IPsec SA: SPIs=b2af532d/3d143928 ike V=root:0:site1:20:site1:22: sending SNMP tunnel UP trap
-
Verify the statistics for qkd_1:
# diagnose vpn ike qkd qkd_1 client.count.fd: now 0 max 1 total 3 client.count.fp: now 0 max 1 total 3 client.count.mmap: now 2 max 2 total 9 client.event: 4 client.retry: 0 client.cmd.request.initiator: 4 client.cmd.request.responder: 0 client.cmd.reply.initiator: 4 client.cmd.reply.responder: 0 server.boot.count: 3 server.boot.last.time: 4295388395 server.boot.last.ago: 247 server.stop.budget: 0 server.stop.error: 0 server.stop.auth.count: 0 server.cmd.reading: 7 server.cmd.read: 4 server.cmd.request.initiator: 4 server.cmd.request.responder: 0 server.cmd.reply.initiator: 4 server.cmd.reply.responder: 0 server.auth.request.sending.count: 4 server.auth.request.sending.last.time: 4295389413 server.auth.request.sending.last.ago: 237 server.auth.request.sent.count: 4 server.auth.request.sent.last.time: 4295389413 server.auth.request.sent.last.ago: 237 server.auth.reply.reading.count: 4 server.auth.reply.reading.last.time: 4295389413 server.auth.reply.reading.last.ago: 237 server.auth.reply.read.count: 4 server.auth.reply.read.last.time: 4295389413 server.auth.reply.read.last.ago: 237 server.dns.addrs: server.curl.get.count: 4 server.curl.get.last.time: 4295389413 server.curl.get.last.ago: 237 server.curl.json.parse: 4 server.curl.json.parsed: 4
-