Configuring Post-quantum Pre-Shared Key
The Post-quantum Pre-Shared Key (PPK) is used in addition to the Diffie-Hellman (DH) key exchange in the IKEv2 protocol to prevent threats from quantum computers.
It is believed that a quantum computer can in the future break the DH algorithm and find the secret key used to protect communication. PPK adds a shared secret to the DH result mitigating the threat. Hence, when PPK is used with the IKEv2 protocol it prevents traffic decryption even if the encrypted traffic is stored and later a quantum computer is used to decrypt the traffic.
A PPK consists of a Key ID and a Pre-shared secret. For more details on PPK, refer to RFC 8784.
Note:
- Devices in communication share the Key ID during the IKEv2 handshake, but the pre-shared secret is shared only as part of the configuration.
- When the same SMC is managing two gateways and only one of the two gateways has the PPK configured, the SMC automatically creates a new PPK element and then selects it for the gateway that does not have PPK configured. Also, this new PPK element has an auto-generated unique primary PPK ID.
- The PPK feature is not supported for VPN broker tunnels.
Requirements:
- To establish a VPN tunnel between devices using PPK with the IKEv2 protocol, both devices involved in the communication must support the PPK feature.
- The PPK feature is only supported on Engine versions 7.3 and later.
- The PPK feature is only supported for route-based and policy-based tunnels.