Post-Quantum IPsec Gateway: Policy Enforcement Point

The emergence of large-scale quantum computing poses a significant threat to the Public Key Infrastructure (PKI) that secures modern communications. Protocols such as Internet Protocol Security (IPsec), which rely on Internet Key Exchange version 2 (IKEv2) for key establishment, are fundamentally vulnerable to Shor’s algorithm. This vulnerability creates an immediate Har- vest Now, Decrypt Later (HNDL) attack vector, where encrypted data harvested today can be retrospectively decrypted once a sufficiently powerful quantum computer is available. While the National Institute of Standards and Technology (NIST) Post-Quantum Cryptogra- phy (PQC) standardisation process has produced new quantum-resistant algorithms, a simple “rip and replace“ migration strategy is untenable. The volatility of new cryptographic assumptions, exemplified by the catastrophic failure of SIKE and the practical threat of implementation-specific Side-Channel Attacks (SCAs), demands a new architectural paradigm: cryptographic agility. This thesis presents the design, implementation, and evaluation of a PQC-Agile IPsec Gateway. The core contribution is a novel architecture that decouples cryptographic policy enforcement from the protocol’s core logic. The solution leverages strongSwan as a high-performance Policy Enforcement Point (PEP) and Open Policy Agent (OPA) as a centralised, declarative Policy Decision Point (PDP). The strongSwan ext-auth plugin is modified and patched to intercept IKEv2 negotiations, gathering the peer’s cryptographic proposal and certificate metadata. This context is sent as a structured JSON query to the OPA engine, which evaluates it against fine-grained Rego policies. These policies enforce minimum security levels (KE and SIG) and validate a diverse cryptographic portfolio-including Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM), Module- Lattice-Based Digital Signature Algorithm (ML-DSA), Bit-Flipping Key Encapsulation (BIKE), and Hamming Quasi-Cyclic (HQC), to provide resilience against the failure of a single algorithm family. Policy decisions are applied through asynchronous helper services, using strongSwan’s VICI interface to manage the Child Security Association (CHILDSA) lifecycle. The result is a resilient and operationally flexible gateway that supports auditable and incre- mental migration to PQC. Administrators can dynamically update cryptographic policy, disable compromised algorithms, or enforce hybrid deployments in real time, without service interruption or gateway redeployment.