History

Quantum Safe Key Exchange¶

The IETF IPsec working group (ipsecme) is currently working on two standards that will allow a quantum-safe key exchange:

draft-ietf-ipsecme-ikev2-intermediate: Intermediate Exchange in the IKEv2 Protocol

draft-ietf-ipsecme-ikev2-multiple-ke: Multiple Key Exchanges in IKEv2

Start of the strongSwan charon daemon via systemd:

systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
00[LIB] loaded plugins: charon-systemd random drbg nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 frodo gmp curl kernel-netlink socket-default updown vici
00[JOB] spawning 16 worker threads
13[CFG] loaded certificate 'C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org'
09[CFG] loaded certificate 'C=CH, O=strongSwan Project, CN=strongSwan Root CA'
05[CFG] loaded RSA private key
05[CFG] added vici connection: home
systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

Initiating an IPsec connection:

09[CFG] vici initiate CHILD_SA 'home'
14[IKE] initiating IKE_SA home[1] to 192.168.0.1
14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) N(IKE_INT_SUP) V ]
14[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (276 bytes)
10[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (309 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(IKE_INT_SUP) N(MULT_AUTH) V ]
10[IKE] received strongSwan vendor ID
10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519/KE_FRODO_SHAKE_L5
10[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"

10[ENC] generating IKE_INTERMEDIATE request 1 [ KE ]
10[ENC] splitting IKE message (21600 bytes) into 16 fragments
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(1/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(2/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(3/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(4/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(5/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(6/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(7/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(8/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(9/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(10/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(11/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(12/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(13/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(14/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(15/16) ]
10[ENC] generating IKE_INTERMEDIATE request 1 [ EF(16/16) ]
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
10[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (740 bytes)

11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
11[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(1/16) ]
11[ENC] received fragment #1 of 16, waiting for complete IKE message
05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
05[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(2/16) ]
05[ENC] received fragment #2 of 16, waiting for complete IKE message
15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
15[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(3/16) ]
15[ENC] received fragment #3 of 16, waiting for complete IKE message
16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
16[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(4/16) ]
16[ENC] received fragment #4 of 16, waiting for complete IKE message
13[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
13[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(5/16) ]
13[ENC] received fragment #5 of 16, waiting for complete IKE message
07[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
07[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(6/16) ]
07[ENC] received fragment #6 of 16, waiting for complete IKE message
12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
12[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(7/16) ]
12[ENC] received fragment #7 of 16, waiting for complete IKE message
12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
12[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(8/16) ]
12[ENC] received fragment #8 of 16, waiting for complete IKE message
05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
05[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(9/16) ]
05[ENC] received fragment #9 of 16, waiting for complete IKE message
11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
11[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(10/16) ]
11[ENC] received fragment #10 of 16, waiting for complete IKE message
14[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
14[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(11/16) ]
14[ENC] received fragment #11 of 16, waiting for complete IKE message
12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
12[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(12/16) ]
12[ENC] received fragment #12 of 16, waiting for complete IKE message
16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
16[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(13/16) ]
16[ENC] received fragment #13 of 16, waiting for complete IKE message
11[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
11[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(14/16) ]
11[ENC] received fragment #14 of 16, waiting for complete IKE message
16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
16[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(15/16) ]
16[ENC] received fragment #15 of 16, waiting for complete IKE message
12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (852 bytes)
12[ENC] parsed IKE_INTERMEDIATE response 1 [ EF(16/16) ]
12[ENC] received fragment #16 of 16, reassembled fragmented IKE message (21712 bytes)
12[ENC] parsed IKE_INTERMEDIATE response 1 [ KE ]

12[IKE] sending cert request for "C=CH, O=sltrongSwan Project, CN=strongSwan Root CA" 
12[IKE] authentication of 'carol@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
12[IKE] sending end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org" 
12[IKE] establishing CHILD_SA home{1}
12[ENC] generating IKE_AUTH request 2 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
12[ENC] splitting IKE message (1904 bytes) into 2 fragments
12[ENC] generating IKE_AUTH request 2 [ EF(1/2) ]
12[ENC] generating IKE_AUTH request 2 [ EF(2/2) ]
12[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1460 bytes)
12[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (516 bytes)
10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (1460 bytes)
10[ENC] parsed IKE_AUTH response 2 [ EF(1/2) ]
10[ENC] received fragment #1 of 2, waiting for complete IKE message
10[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (436 bytes)
10[ENC] parsed IKE_AUTH response 2 [ EF(2/2) ]
10[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1824 bytes)
10[ENC] parsed IKE_AUTH response 2 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
10[IKE] received end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org" 
10[CFG]   using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org" 
10[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" 
10[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=moon.strongswan.org" 
10[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
10[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA" 
10[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA" 
10[CFG]   crl is valid: until Aug 19 11:00:05 2020
10[CFG] certificate status is good
10[CFG]   reached self-signed root ca with a path length of 0
10[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
10[IKE] IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
10[IKE] scheduling rekeying in 13171s
10[IKE] maximum IKE_SA lifetime 14611s
10[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
10[IKE] CHILD_SA home{1} established with SPIs c7e7575e_i c3ff255a_o and TS 192.168.0.100/32 === 10.1.0.0/16
10[IKE] peer supports MOBIKE

14[CFG] vici terminate IKE_SA 'home'
06[IKE] deleting IKE_SA home[1] between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
06[IKE] sending DELETE for IKE_SA home[1]
06[ENC] generating INFORMATIONAL request 3 [ D ]
06[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (80 bytes)
16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes)
16[ENC] parsed INFORMATIONAL response 3 [ ]
16[IKE] IKE_SA deleted
00[DMN] SIGTERM received, shutting down
systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.

Files (0)

Project

General

Profile

strongSwan

Documentation¶

Resources¶

Wiki

Quantum Safe Key Exchange¶