Upgrading an existing IKEv2 connection between two LANCOM routers with post-quantum preshared keys

Description:

Quantum computers pose a major challenge for current cryptographic methods, including those used in IKEv2 connections. Although these algorithms are currently considered to be very robust against attacks, it is conceivable that attackers could record encrypted data traffic now and decrypt it at a later date using a quantum computer. 

In order to protect data traffic on IKEv2 connections against attacks by quantum computers, the extension RFC 8784 “Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security” was introduced that allows IKEv2 connections with preshared key (PSK) to be additionally secured with a post-quantum preshared key (PPK).

This article describes how to extend an existing IKEv2 connection between two LANCOM routers with post-quantum preshared keys.

Requirements:

• LCOS as of version 10.90 RC1 (download latest version)
• LANtools as of version 10.90 RC1 (download latest version)
• Previously set up and functional IKEv2 connection between two LANCOM routers with preshared key:
  • Manual configuration: Manually set up an IKEv2 site-to-site VPN connection with a dynamic IP address on the branch office site (IPv4)
  • Configuration by Setup Wizard: Configuring an IKEv2 VPN connection between two LANCOM routers using the Setup Wizard (IPv4)

Procedure:

1) Configuring the post-quantum preshared keys at the Headquarters:

1.1) Connect to the router at the Headquarters and navigate to the menu VPN → IKEv2/IPSec → Extended settings.

1.2) Go to the PPKs menu.

1.3) Create a new entry and adjust the following parameters:

• PPK-ID: Enter a unique name for the PPK (in this example PPK-1).
• PPK: Assign a password as PPK.
• Mandatory: From the drop-down menu, select the option Yes. This means that the VPN connection will only be established if the remote site also uses a PPK. The setting No means that the use of PPKs is optional.

1.4) Switch to the menu VPN → IKEv2/IPsec → Authentication. 

1.5) Select the VPN connection to be secured and click Edit.

1.6) From the drop-down menu for PPK-ID, select the PPK-ID created in step 1.3.

1.7) This concludes the configuration steps at the headquarters.

2) Configuring the post-quantum preshared keys at the branch office:

2.1) Connect to the router at the office and navigate to the menu VPN → IKEv2/IPSec → Extended settings.

2.2) Go to the PPKs menu.

2.3) Create a new entry and adjust the following parameters:

• PPK-ID: Enter the PPK-ID created in step 1.3 (in this example PPK-1).
• PPK: Enter the password set in step 1.3.
• Mandatory: From the drop-down menu, select the option Yes. This means that the VPN connection will only be established if the remote site also uses a PPK. The setting No means that the use of PPKs is optional.

2.4) Switch to the menu VPN → IKEv2/IPsec → Authentication. 

2.5) Select the VPN connection to be secured and click Edit.

2.6) From the drop-down menu for PPK-ID, select the PPK-ID created in step 2.3.

2.7) This concludes the configuration steps at the branch office.

3) Restart the VPN connection:

These changes only come into effect after restarting the VPN connection. The disconnect can be initiated at the branch office or at the headquarters.

3.1) Restart the VPN connection using LANmonitor:

Select the VPN connection, right-click, and select the context-menu option Disconnect.

3.2) Restart the VPN connection from the command line:

Enter the command to disconnect the VPN connection in the following format:

do Other/Manual-Dialing/Disconnect <Name of the VPN connection> 

In this example, the command would appear as follows: 

do Other/Manual-Dialing/Disconnect HEADQUARTER

4) Checking the quantum resistance of the VPN connection in the VPN status:

With the CLI command ls Status/VPN/Connections you can check whether the configured PPK is used on the VPN connection. If the field Quantum-Resistant displays Yes, the connection uses the PPK.