T8136: IPSEC PPK Support #1733
Open
T8136: IPSEC PPK Support #1733
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
12 tasks
alexandr-san4ez
suggested changes
Jan 13, 2026
| tunnels when a Post-Quantum key exchange algorithm such as ML-KEM is not | ||
| available. The use of PPKs in IKEv2 is described in :rfc:`8784`. | ||
|
|
||
| PPKs can be configued within VyOS under the vpn.ipsec.authentication.ppk |
Contributor
There was a problem hiding this comment.
Suggested change
| PPKs can be configued within VyOS under the vpn.ipsec.authentication.ppk | |
| PPKs can be configued within VyOS under the `vpn ipsec authentication ppk` |
In my opinion it will be better this way.
Comment on lines
119
to
144
| PPKs can be configued within VyOS under the vpn.ipsec.authentication.ppk | ||
| config. | ||
|
|
||
| .. cfgmod:: edit vpn authentication ppk <name> | ||
|
|
||
| PPKs need an id and a secret value. The ID and secret must match if PPKs are | ||
| required for a successful IPSEC connection. The secret can be plain text, a | ||
| hex value, or a base64 value. The default is plain text. If using another | ||
| type of value, you must define the secret-type. | ||
|
|
||
| .. cfgmod:: set vpn authentication ppk <name> secret-type <plaintext|hex|base64> | ||
|
|
||
| To use a PPK within a site-to-site or remote-access connection, define the PPK | ||
| id under the connection. | ||
|
|
||
| .. cfgmod:: set vpn ipsec site-to-site <name> ppk id <id> | ||
|
|
||
| Optionally, you can require the use of PPK to have a successful connection. | ||
|
|
||
| .. cfgmod:: set vpn ipsec site-to-site <name> ppk required | ||
|
|
||
| To confirm the use of a PPK in an IKE SA, check for the presence of "up-ppk" in | ||
| the output of the show command under the status heading. If you only see "up", or | ||
| "down", PPK is not in use. | ||
|
|
||
| .. cfgmod:: show vpn ike sa |
Contributor
There was a problem hiding this comment.
Suggested change
| PPKs can be configued within VyOS under the vpn.ipsec.authentication.ppk | |
| config. | |
| .. cfgmod:: edit vpn authentication ppk <name> | |
| PPKs need an id and a secret value. The ID and secret must match if PPKs are | |
| required for a successful IPSEC connection. The secret can be plain text, a | |
| hex value, or a base64 value. The default is plain text. If using another | |
| type of value, you must define the secret-type. | |
| .. cfgmod:: set vpn authentication ppk <name> secret-type <plaintext|hex|base64> | |
| To use a PPK within a site-to-site or remote-access connection, define the PPK | |
| id under the connection. | |
| .. cfgmod:: set vpn ipsec site-to-site <name> ppk id <id> | |
| Optionally, you can require the use of PPK to have a successful connection. | |
| .. cfgmod:: set vpn ipsec site-to-site <name> ppk required | |
| To confirm the use of a PPK in an IKE SA, check for the presence of "up-ppk" in | |
| the output of the show command under the status heading. If you only see "up", or | |
| "down", PPK is not in use. | |
| .. cfgmod:: show vpn ike sa | |
| .. cfgmod:: edit vpn authentication ppk <name> | |
| PPKs can be configued within VyOS under the `vpn ipsec authentication ppk` | |
| config. | |
| .. cfgmod:: set vpn authentication ppk <name> secret-type <plaintext|hex|base64> | |
| PPKs need an id and a secret value. The ID and secret must match if PPKs are | |
| required for a successful IPSEC connection. The secret can be plain text, a | |
| hex value, or a base64 value. The default is plain text. If using another | |
| type of value, you must define the secret-type. | |
| .. cfgmod:: set vpn ipsec site-to-site <name> ppk id <id> | |
| To use a PPK within a site-to-site or remote-access connection, define the PPK | |
| id under the connection. | |
| .. cfgmod:: set vpn ipsec site-to-site <name> ppk required | |
| Optionally, you can require the use of PPK to have a successful connection. | |
| .. cfgmod:: show vpn ike sa | |
| To confirm the use of a PPK in an IKE SA, check for the presence of "up-ppk" in | |
| the output of the show command under the status heading. If you only see "up", or | |
| "down", PPK is not in use. |
As I see on other pages, the command description should be after the command (not before).
alexandr-san4ez
approved these changes
Feb 4, 2026
Contributor
alexandr-san4ez
left a comment
alexandr-san4ez
left a comment
There was a problem hiding this comment.
The changes I requested have been made.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Change Summary
Provides information on use of post-quantum preshared keys (PPK)
Related Task(s)
Related PR(s)
vyos/vyos-1x#4930
Backport
Checklist: