Change Details

**Summary** Adds support for Post-quantum Preshared Keys (PPK) [RFC 8784]. Strongswan version 5.7.0 added support for PPKs, and VyOS 1.3.8 had strongSwan 5.7.2 included. All later versions of VyOS should support PPKs. **Use case** Provide quantum resistant IPSEC connection when using IKEv2 until (or in addition to) quantum resistant algorithms are available, like ML-KEM and ML-DSA. **Additional information** PPKs are only used with IKEv2, so will need a check that we're using v2 if PPK is configured. strongSwan PPK configuration reference: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html#_connections_conn_ppk_id and https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html#_secrets_ppksuffix Example strongSwan PPK configuration for road warriors: https://www.strongswan.org/testing/testresults/ikev2/rw-psk-ppk/index.html > Value of the PPK. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value. Should have at least 256 bits of entropy for 128 bit security **Suggested configuration additions** Configure PPK for use ``` set vpn ipsec authentication ppk <name> id <value> set vpn ipsec authentication ppk <name> secret <value> ``` Use PPK for RA connection ``` set vpn ipsec remote-access connection <name> authentication ppk id <value> set vpn ipsec remote-access connection <name> authentication ppk required (optional) ``` Use PPK for S2S peer ``` set vpn ipsec site-to-site peer <name> authentication ppk id <value> set vpn ipsec site-to-site peer <name> authentication ppk required (optional) ``` **swanctl config** ``` connections { peer { ppk_id = <value> ppk_required = yes [default no, only include this if ppk required in config] ``` ``` secrets { ppk-name { id-ppk-name = "<value>" secret = 0xHEX or 0sBASE64 or string ```

**Summary** Adds support for Post-quantum Preshared Keys (PPK) [RFC 8784]. Strongswan version 5.7.0 added support for PPKs, and VyOS 1.3.8 had strongSwan 5.7.2 included. All later versions of VyOS should support PPKs. **Use case** Provide quantum resistant IPSEC connection when using IKEv2 until (or in addition to) quantum resistant algorithms are available, like ML-KEM and ML-DSA. **Additional information** PPKs are only used with IKEv2, so will need a check that we're using v2 if PPK is configured. strongSwan PPK configuration reference: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html#_connections_conn_ppk_id and https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html#_secrets_ppksuffix Example strongSwan PPK configuration for road warriors: https://www.strongswan.org/testing/testresults/ikev2/rw-psk-ppk/index.html > Value of the PPK. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value. Should have at least 256 bits of entropy for 128 bit security **Suggested configuration additions** Configure PPK for use ``` set vpn ipsec authentication ppk <name> id <value> set vpn ipsec authentication ppk <name> secret <value> ``` Use PPK for RA connection ``` set vpn ipsec remote-access connection <name> authentication ppk id <value> set vpn ipsec remote-access connection <name> authentication ppk required (optional) ``` Use PPK for S2S peer ``` set vpn ipsec site-to-site peer <name> authentication ppk id <value> set vpn ipsec site-to-site peer <name> authentication ppk required (optional) ``` **swanctl config** ``` connections { peer { ppk_id = <value> ppk_required = yes [default no, only include this if ppk required in config] ``` ``` secrets { ppk-name { id-ppk-name = <value> secret = 0xHEX or 0sBASE64 or string ```

**Summary** Adds support for Post-quantum Preshared Keys (PPK) [RFC 8784]. Strongswan version 5.7.0 added support for PPKs, and VyOS 1.3.8 had strongSwan 5.7.2 included. All later versions of VyOS should support PPKs. **Use case** Provide quantum resistant IPSEC connection when using IKEv2 until (or in addition to) quantum resistant algorithms are available, like ML-KEM and ML-DSA. **Additional information** PPKs are only used with IKEv2, so will need a check that we're using v2 if PPK is configured. strongSwan PPK configuration reference: https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html#_connections_conn_ppk_id and https://docs.strongswan.org/docs/latest/swanctl/swanctlConf.html#_secrets_ppksuffix Example strongSwan PPK configuration for road warriors: https://www.strongswan.org/testing/testresults/ikev2/rw-psk-ppk/index.html > Value of the PPK. It may either be an ASCII string, a hex encoded string if it has a 0x prefix or a Base64 encoded string if it has a 0s prefix in its value. Should have at least 256 bits of entropy for 128 bit security **Suggested configuration additions** Configure PPK for use ``` set vpn ipsec authentication ppk <name> id <value> set vpn ipsec authentication ppk <name> secret <value> ``` Use PPK for RA connection ``` set vpn ipsec remote-access connection <name> authentication ppk id <value> set vpn ipsec remote-access connection <name> authentication ppk required (optional) ``` Use PPK for S2S peer ``` set vpn ipsec site-to-site peer <name> authentication ppk id <value> set vpn ipsec site-to-site peer <name> authentication ppk required (optional) ``` **swanctl config** ``` connections { peer { ppk_id = <value> ppk_required = yes [default no, only include this if ppk required in config] ``` ``` secrets { ppk-name { id-ppk-name = "<value>" secret = 0xHEX or 0sBASE64 or string ```