Quantum computers pose a potential challenge to current cryptographic algorithms, such as those used in IKEv2 VPN. Current algorithms are considered to be very robust, but the challenge is that an attacker can record encrypted data today and decrypt it using quantum computers in the future.
The RFC 8784 "Mixing Preshared Keys in the Internet Key Exchange Protocol Version 2 (IKEv2) for Post-quantum Security" offers a way to resist quantum computers when passwords (PSKs) are used. The extension works by "mixing" the standard IKEv2 password key (PSK) with another key in the form of a Post-quantum Preshared Key (PPK) to increase resistance.
Existing IKEv2 PSK tunnels can easily be supplemented with PPKs. The PPK is independent of the existing PSK.
LCOS supports manual configuration of PPKs. Automatic procedures for changing PPKs are not supported.
Table
- PPK ID
- Enter the name of the PPK-ID (Post-quantum Preshared Keys as per RFC 8784) from the table of PPKs.
Table
- PPK ID
- Enter the name of the PPK-ID (Post-quantum Preshared Keys as per RFC 8784) from the table of PPKs.
Table
- PPK-ID
- Set a unique name for this entry. The input format can be a string or hexadecimal number (identified by a leading 0x).
- PPK
- Enter the post-quantum preshared key here as a character string or hexadecimal number (identified by a leading 0x).
- Required
- If the use of PPKs is configured as required, the corresponding VPN connection will be rejected if the remote site does not support or has not configured a PPK. If the use of PPKs is configured as optional, both PPK and non-PPK connections are accepted.
RADIUS attributes
Corresponding RADIUS attributes are also supported:
| ID | Name | Meaning |
|---|---|---|
| LANCOM 33 | LCS-IKEv2-PPK | Specifies the post-quantum preshared key as a string or hexadecimal number (identified by a leading 0x). |
| LANCOM 34 | LCS-IKEv2-PPK-MANDATORY | Specifies whether the use of the passed post-quantum preshared key (PPK) is required. If yes, the corresponding VPN connection will be rejected if the remote site does not support or has not configured a PPK. If the use of PPKs is configured as optional, both PPK and non-PPK connections are accepted. |
| LANCOM 33 | LCS-IKEv2-PPK | Specifies the post-quantum preshared key as a string or hexadecimal number (identified by a leading 0x). |
| LANCOM 34 | LCS-IKEv2-PPK-MANDATORY | Specifies whether the use of the passed post-quantum preshared key (PPK) is required. If yes, the corresponding VPN connection will be rejected if the remote site does not support or has not configured a PPK. If the use of PPKs is configured as optional, both PPK and non-PPK connections are accepted. |
