This repository contains a testing environment for our QKD-enabled strongSwan fork which integrates Quantum Key Distribution into (in substitution of the) the IKEv2 protocol. The setup uses Docker containers to simulate a client-server (Alice-Bob) environment for testing secure communication channels.
The testing environment is derived from the strongX509/docker project and modified to support our QKD integration testing.
The qursa-uc3m/strongswan strongSwan fork includes two plugins:
- QKD-KEM Plugin: Hybridizes QKD with Post-Quantum Cryptography using the QKD-KEM Provider, which depends on the QKD-ETSI API.
- QKD Plugin: Implements bare QKD integration.
To test a specific plugin:
-
Set the
BUILD_QKD_KEMvariable indocker-compose.yml:"true"- Builds QKD-KEM plugin with required dependencies (qkd-etsi-api and qkd-kem-provider)"false"- Builds only the basic QKD plugin
-
Enable the corresponding plugin in
scripts/build_strongswan.sh:- For QKD plugin:
--enable-qkd - For QKD-KEM plugin:
--enable-qkd-kem
- For QKD plugin:
-
Copy the plugin-specific configuration files:
# From config/<plugin_name>/ to:
alice/ # Client configuration
bob/ # Server configuration
strongswan.conf # Main strongSwan configurationNote: The provided configuration for the QKD-KEM plugin tests the hybridization of QKD with Kyber768.
Generate certificates (run outside Docker):
./scripts/gen_certs.shClean Docker environment (optional):
sudo docker system prune -a --volumesBuild and launch containers:
docker-compose build --no-cache && docker-compose upStart Bob (server):
docker exec -ti bob /bin/bash
./charonStart Alice (client):
docker exec -ti alice /bin/bash
./charonInitiate test connection:
docker exec -ti alice /bin/bash
swanctl --initiate --child netIf you run Wireshark before initiating the connection and filter for IKEv2 traffic with the filter udp.port==500 || udp.port==4500 you should see the IKEv2 exchange.