Best Practices for Quantum Safe Key Exchange and VPN Tunnel Encryption

Important - This feature supports only Security Gateways with version R82 and higher.

Introduction

In modern cyber security environments, ensuring the robustness of encryption is important. Internet Key Exchange version 2 (IKEv2) is critical for establishing secure VPN tunnels. Quantum Safe Key Exchange includes these enhancements to IKEv2 that strengthen its resilience:

This enhancement introduces an additional exchange that can utilize the existing IKE fragmentation mechanism, which helps prevent IP fragmentation of large IKE messages.

This is particularly valuable when longer key exchange methods are employed, as it cannot be used in the initial IKEv2 exchange.

With this enhancement, IKEv2 can perform multiple key exchanges with the use of different cryptographic algorithms, including Post-Quantum algorithms.

The security of the entire exchange is designed to be at least as strong as the most secure algorithm employed, to ensure that even if one method is compromised, the overall key exchange remains protected.

These enhancements greatly improve IKEv2 performance and security, especially in environments where large key exchanges and Post-Quantum Cryptography (PQC) are being adopted.

In addition, this section includes recommended Post Quantum Encryption Best Practices for VPN tunnel encryption.

Configuring Quantum Safe Key Exchange in SmartConsole

  1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click the Objects menu > Object Explorer (or press the CTRL+E keys).

  2. From the left navigation tree, click VPN Communities.

  3. Double-click an existing VPN CommunityClosed A named collection of VPN domains, each protected by a VPN gateway. object (or create a new object).

    The VPN Community object window opens and shows the Gateways page.

  4. From the navigation tree, click Encryption.

  5. Select the checkbox Quantum Safe Key Exchange.

    Note - When you select this checkbox, the VPN Community object uses the default profile.

    To change the default profile settings, you must use Management API. See Configuring Quantum Safe Key Exchange with Management API.

  6. Configure other required settings in this VPN Community object.

  7. Click OK.

  8. Install the Access Control Policy on all Security Gateways that participate in this VPN Community.

Configuring Quantum Safe Key Exchange with Management API

Refer to one of these Management API References > Chapter "VPN":

  1. If it is necessary to change the default profile settings for Quantum Safe Key Exchange, then create the required Multiple Exchanges Proposal object.

    In the Management API Reference, refer to the Chapter "VPN" > Section "Multiple Key Exchanges":

    add multiple-key-exchanges

  2. Configure IKE parameters in the VPN Community.

    In the Management API Reference, refer to the Chapter "VPN".

    • For a Meshed VPN Community, refer to the Section "VPN Community Meshed":

      add vpn-community-meshed

      set vpn-community-meshed

    • For a Star VPN Community, refer to the Section "VPN Community Star":

      add vpn-community-star

      set vpn-community-star

    Required API Parameters:

    IKE Phase

    Parameter

    Sub-Parameter

    IKE Phase 1

    ike-phase-1

    • multiple-key-exchanges

    • use-multiple-key-exchanges

    IKE Phase 2

    ike-phase-2

    • multiple-key-exchanges

    • use-multiple-key-exchanges

  3. Install the Access Control Policy on all Security Gateways that participate in this VPN Community.

    In the Management API Reference, refer to the Chapter "Policy".

    verify-policy

    install-policy

Post-Quantum VPN Tunnel Encryption Best Practices

In addition to Quantum Safe Key Exchange, we recommend Best Practices for VPN TunnelClosed An encrypted connection between two hosts using standard protocols (such as L2TP) to encrypt traffic going in and decrypt it coming out, creating an encapsulated network through which data can be safely shared as though on a physical private line. Encryption. To follow all of these Best Practices, all member gateways in the VPN Community must support all of these settings.

  1. In SmartConsole, click the Objects menu > Object Explorer (or press the CTRL+E keys).

  2. From the left navigation tree, click VPN Communities.

  3. Double-click an existing VPN Community object (or create a new object).

    The VPN Community object window opens and shows the Gateways page.

  4. From the navigation tree, click Encryption.

  5. For Encryption Method, select IKEv2 only.

  6. Select Custom encryption suite.

  7. For Encryption algorithm, select AES-256.

  8. For Data Integrity, select SHA-384.

  9. For Diffie-Hellman Group, select a group higher than 15.

  10. Select the checkbox Use Perfect Forward Secrecy.

  11. Select the checkbox Quantum Safe Key Exchange.

    Note - When you select this checkbox, the VPN Community object uses the default profile.

    To change the default profile settings, you must use Management API. See Configuring Quantum Safe Key Exchange with Management API.

  12. Configure other required settings in this VPN Community object.

  13. Click OK.

  14. Install the Access Control Policy on all Security Gateways that participate in this VPN Community.

Advanced Configuration: Setting the Security Gateway to Use Only Quantum Safe Key Exchange

Quantum Safe Key Exchange with Post-Quantum Cryptography (PQC) is possible only if all VPN peers support it and agree to use it. In an advanced configuration, a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. agrees to create a VPN tunnel only with a VPN peer that agrees to use PQC.

New: R82 Jumbo Hotfix Accumulator Take 41 added support for the ML-KEM set of algorithms as required by the FIPS 203 standard to address Post-Quantum Cryptography (PQC).

For information on Gateway compatibility and PQC behavior in mixed environments, refer to sk184080

Default Behavior

A Security Gateway with Quantum Safe Key Exchange and standard exchange enabled starts an IKE negotiation by sending a PQC proposal and a standard proposal. If the VPN peer gateway does not agree to use PQC,the peer gateway continues the negotiation using the standard proposal.

Advanced Configuration

A Security Gateway with only Quantum Safe Key Exchange enabled starts an IKE negotiation by proposing only to use PQC. If the VPN peer gateway does not agree to use Quantum Safe Key Exchange, the Security Gateway stops the IKE negotiation.

Refer to one of these Management API References > Chapter "VPN":

  • Online Check Point Management API Reference.

  • Offline Management API Reference on the Management ServerR82 and higher at this URL (must enable this access as described in sk174606):

    https://<IP Address of Management Server>/api_docs/#introduction

    Example: https://192.168.3.57/api_docs/#introduction

  1. If the Multiple Exchanges Proposal object does not exist, create it.

    In the Management API Reference, refer to the Chapter "VPN" > Section "Multiple Key Exchanges":

    add multiple-key-exchanges

  2. Configure IKE parameters in the VPN Community.

    In the Management API Reference, refer to the Chapter "VPN".

    • For a Meshed VPN Community, refer to the Section "VPN Community Meshed":

      add vpn-community-meshed

      set vpn-community-meshed

    • For a Star VPN Community, refer to the Section "VPN Community Star":

      add vpn-community-star

      set vpn-community-star

    API Parameters for Advanced Configuration of Quantum Safe Key Exchange (PQC):

     

    IKE Phase

    Parameter

    Value of use-multiple-key-exchanges Boolean

    Value of use-standard-proposal Boolean

    Security Gateway Behavior during the IKE Phase

    IKE Phase 1

    ike-phase-1

    true

    		true (default value)

    In an IKE Phase 1 negotiation, the Security Gateway proposes PQC and standard IKE. If the peer gateway does not agree to PQC, the Security Gateway agrees to use standard IKE.

     

    IKE Phase 1

    ike-phase-1

    true

    false

    In an IKE Phase 1 negotiation, the Security Gateway proposes only PQC. If the VPN peer does not agree to PQC, the Security Gateway ends the negotiation.

    IKE Phase 2

    ike-phase-2

    true

    true (default value)

    In an IKE Phase 2 negotiation, the Security Gateway proposes PQC and standard IKE. If the peer gateway does not agree to PQC, the Security Gateway agrees to use standard IKE.

    IKE Phase 2

    ike-phase-2

    true

    false

    In an IKE Phase 1 negotiation, the Security Gateway proposes only PQC. If the VPN peer does not agree to PQC, the Security Gateway ends the negotiation.

    Note - If the value of use-multiple-key-exchanges is false, the Security Gateway does not use PQC. It is not possible to set both use-multiple-key-exchanges and use-standard-proposal to false, because this would prevent the Security Gateway from completing any IKE negotiation.

  3. Install the Access Control Policy on all Security Gateways that participate in this VPN Community.

    In the Management API Reference, refer to the Chapter "Policy".

    verify-policy

    install-policy