Post-Quantum IPSec Additional Key Exchange
|
Optionally, enable Post-Quantum IPSec Additional Key
Exchange rounds. You can add up to seven additional
rounds (Round 1-7) with only one PQC permitted per round. At a
minimum, one PQC is required to add quantum resistance. Adding
additional PQCs further raises quantum resistance, but increases the
size of the IPSec re-key packets.
Configure both sides of the IPSec tunnel with the same PQC and
security strength level in each Additional Key Exchange Round. If
there is a mismatch, the re-key operation fails.
Use the Round 1 - Round
7 drop-downs to display the supported PQCs that can
be used for each Additional Key Exchange Round. Select the PQC to be
used for the round. The PQC selected must match the other VPN
device’s IPSec crypto setting for the same Additional Key Exchange
Round. IPSec does not auto negotiate the PQC for each additional
round as only one PQC can be configured.
Do not negotiate the same PQC in more than one round as it doesn’t
provide additional quantum resistance. RFC 9370 allows additional
key exchange rounds to be skipped. Leave skipped rounds blank or set
to None.
|