topic MACsec: Why is the traffic not encrypted?? in Network Security

MACsec: Why is the traffic not encrypted??

eric-2340 — Sun, 09 Jun 2024 19:49:44 GMT

Hello everyone, I would like to ask for help regarding the configuration of two 3650 switches, one with IOS Software Denali Version 16.3.8prd2, and one with Cisco IOS Software Everest Version 16.6.6. The issue I'm encountering is that once the configuration is completed and MACsec is functioning on the two devices, the traffic is not encrypted. In fact, when sniffing with Wireshark, I see the traffic generated by the two g1/0/1 ports in clear text.

The MACsec I want to set up does not use authentication servers.

sho license feature-version (SW - IOS Software Denali Version 16.3.8prd2)
Feature Name Version
----------------------------
ipservices 1.0
ipservices eval 1.0
ipbase 1.0
ipbase eval 1.0
lanbase 1.0
apcount eval 1.0
apcount base 1.0
apcount adder 1.0

sho license feature-version (SW - Cisco IOS Software Everest Version 16.6.6)
Feature Name Version
---------------------------------------
ipservices 1.1
ipservices eval 1.1
ipbase 1.1
ipbase eval 1.1
lanbase 1.1

Let me list the configuration parameters that I have set:

SW1 e SW2

show key chain

Key-chain MKA-KC:

MacSEC key chain

key 0100000000000000000000000000000000000000000000000000000000000000 -- text "1234567890123456789012345678901212385423694172681365247823957412"

cryptographic-algorithm: aes-256-cmac

lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now]

mka policy MKA-POLICY

delay-protection

macsec-cipher-suite gcm-aes-128 gcm-aes-256

sak-rekey on-live-peer-loss

interface GigabitEthernet1/0/1

switchport trunk allowed vlan xx

switchport mode trunk

macsec network-link

mka policy MKA-POLICY

mka pre-shared-key key-chain MKA-KC

show mka policy

MKA Policy Summary...

Codes : CO - Confidentiality Offset, ICVIND - Include ICV-Indicator,

SAKR OLPL - SAK-Rekey On-Live-Peer-Loss,

DP - Delay Protect, KS Prio - Key Server Priority

Policy KS DP CO SAKR ICVIND Cipher Interfaces

Name Prio OLPL Suite(s) Applied

===============================================================================

*DEFAULT POLICY* 0 FALSE 0 FALSE TRUE GCM-AES-128

MKA-POLICY 0 TRUE 0 TRUE TRUE GCM-AES-128 Gi1/0/1

GCM-AES-256

sho macsec interface gigabitEthernet 1/0/1

MACsec is enabled

Replay protect : enabled

Replay window : 0

Include SCI : yes

Use ES Enable : no

Use SCB Enable : no

Admin Pt2Pt MAC : forceTrue(1)

Pt2Pt MAC Operational : no

Cipher : GCM-AES-128

Confidentiality Offset : 0

Capabilities

ICV length : 16

Data length change supported: yes

Max. Rx SA : 16

Max. Tx SA : 16

Max. Rx SC : 8

Max. Tx SC : 8

Validate Frames : strict

PN threshold notification support : Yes

Ciphers supported : GCM-AES-128

GCM-AES-256

Transmit Secure Channels

SCI : C4F7D5ACC7810007

SC state : notInUse(2)

Elapsed time : 00:02:10

Start time : 7w0d

Current AN: 1

Previous AN: -

Next PN: 0

SA State: notInUse(2)

Confidentiality : no

SAK Unchanged : no

SA Create time : 04:44:14

SA Start time : 7w0d

SC Statistics

Auth-only Pkts : 0

Auth-only Bytes : 0

Encrypt Pkts : 0

Encrypt Bytes : 0

SA Statistics

Auth-only Pkts : 0

Encrypt Pkts : 20

Port Statistics

Egress untag pkts 4

Egress long pkts 1098315137384

Receive Secure Channels

SCI : 00FD2217DA810007

SC state : notInUse(2)

Elapsed time : 00:02:10

Start time : 7w0d

Current AN: 1

Previous AN: -

Next PN: 87

RX SA Count: 0

SA State: notInUse(2)

SAK Unchanged : no

SA Create time : 04:44:13

SA Start time : 7w0d

SC Statistics

Notvalid pkts 0

Invalid pkts 0

Valid pkts 0

Valid bytes 0

Late pkts 0

Uncheck pkts 0

Delay pkts 0

UnusedSA pkts 0

NousingSA pkts 0

Decrypt bytes 0

SA Statistics

Notvalid pkts 0

Invalid pkts 0

Valid pkts 86

UnusedSA pkts 0

NousingSA pkts 0

Port Statistics

Ingress untag pkts 1099082953256

Ingress notag pkts 8531

Ingress badtag pkts 0

Ingress unknownSCI pkts 0

Ingress noSCI pkts 2

Ingress overrun pkts 1098423581264

show macsec summary

Interface Transmit SC Receive SC

GigabitEthernet1/0/1 1 1

sho mka sessions interface g1/0/1 detail

MKA Detailed Status for MKA Session

===================================

Status: SECURED - Secured MKA Session with MACsec

Local Tx-SCI............. c4f7.d5ac.xxxx/0007

Interface MAC Address.... c4f7.d5ac.xxxx

MKA Port Identifier...... 7

Interface Name........... GigabitEthernet1/0/1

Audit Session ID.........

CAK Name (CKN)........... 0100000000000000000000000000000000000000000000000000000000000000

Member Identifier (MI)... F1E6DDBAB22A87915F0B7E20

Message Number (MN)...... 945

EAP Role................. NA

Key Server............... NO

MKA Cipher Suite......... AES-256-CMAC

Latest SAK Status........ Rx & Tx

Latest SAK AN............ 1

Latest SAK KI (KN)....... 4E4F014EF97A16A0A72D289A00000012 (18)

Old SAK Status........... No Rx, No Tx

Old SAK AN............... 0

Old SAK KI (KN).......... RETIRED (0)

SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)

SAK Retire Time.......... 0s (No Old SAK to retire)

MKA Policy Name.......... MKA-POLICY

Key Server Priority...... 0

Delay Protection......... YES

Delay Protection Timer.......... 0s

Confidentiality Offset... 0

Algorithm Agility........ 80C201

SAK Rekey On Live Peer Loss........ YES

SAK Cipher Suite......... 0080C20001000001 (GCM-AES-128)

MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)

MACsec Desired........... YES

# of MACsec Capable Live Peers............ 1

# of MACsec Capable Live Peers Responded.. 0

Live Peers List:

MI MN Rx-SCI (Peer) KS Priority

----------------------------------------------------------------------

4E4F014EF97A16A0A72D289A 1065 00fd.2217.xxxx/0007 0

Potential Peers List:

MI MN Rx-SCI (Peer) KS Priority

----------------------------------------------------------------------

show mka sessions

Total MKA Sessions....... 1

Secured Sessions... 1

Pending Sessions... 0

====================================================================================================

Interface Local-TxSCI Policy-Name Inherited Key-Server

Port-ID Peer-RxSCI MACsec-Peers Status CKN

====================================================================================================

Gi1/0/1 c4f7.d5ac.xxxx/0007 MKA-POLICY NO NO

7 00fd.2217.xxxx/0007 1 Secured 0100000000000000000000000000000000000000000000000000000000000000

Re: MACsec: Why is the traffic not encrypted??

Mark Elsen — Mon, 10 Jun 2024 07:01:01 GMT

- Checkout this document and or have a look at the examples : https://www.wiresandwi.fi/blog/cisco-macsec-configuration-using-pre-shared-key-between-ios-xe-and-ios-switch

Re: MACsec: Why is the traffic not encrypted??

eric-2340 — Mon, 10 Jun 2024 09:40:22 GMT

Thank you for the advice, marce1000. The referenced document was an example I followed. In fact, the configuration seems correct, which is why I don't understand why, when sniffing the traffic with Wireshark through a monitor port, I see unencrypted traffic. I don't know if there are additional adjustments to configure or if the two switches are not enabled for the Macsec function.

Re: MACsec: Why is the traffic not encrypted??

Mark Elsen — Mon, 10 Jun 2024 10:15:01 GMT

- Post output from : show macsec interface GigabitEthernet1/0/1

Re: MACsec: Why is the traffic not encrypted??

eric-2340 — Mon, 10 Jun 2024 11:13:22 GMT

By checking the post you recommended with my output, I can confirm that:
Macsec is enabled;
Replay protect: enabled;
Cipher: GCM-AES-128;
Ciphers supported: GCM-AES-128,
GCM-AES-256.

Detail:
show macsec interface gigabitEthernet 1/0/1
MACsec is enabled
Replay protect : enable
Replay window : 0
Include SCI : yes
Use ES Enable : no
Use SCB Enable : no
Admin Pt2Pt MAC : forceTrue(1)
Pt2Pt MAC Operational : no
Cipher : GCM-AES-128
Confidentiality Offset : 0

Capabilities
ICV length : 16
Data length change supported: yes
Max. Rx SA : 16
Max. Tx SA : 16
Max. Rx SC : 8
Max. Tx SC : 8
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
GCM-AES-256

Re: MACsec: Why is the traffic not encrypted??

Mark Elsen — Mon, 10 Jun 2024 16:42:30 GMT

- When I looked it up in the feature navigator apparently you need software version 16.11.1 at minimum ;
check attachment ,

Re: MACsec: Why is the traffic not encrypted??

eric-2340 — Mon, 10 Jun 2024 19:29:28 GMT

Thank you, marce1000, for your availability. I saw your attachment, and scrolling down the list, previous versions prior to 16.11.1 are also listed.

For configurations, I also consulted the Cisco website referencing the switch and IOS I have available, and I am attaching the link.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-6/configuration_guide/sec/b_166_sec_3650_cg/macsec_encryption.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-3/configuration_guide/b_163_consolidated_3650_cg/b_163_consolidated_3650_cg_chapter_01010111.html

Currently, however, after following the various guides, I still can't understand why the traffic I see with Wireshark is not encrypted.

Re: MACsec: Why is the traffic not encrypted??

Mark Elsen — Tue, 11 Jun 2024 06:39:40 GMT

- Have a try with 16.11.x anyway ,

Re: MACsec: Why is the traffic not encrypted??

eric-2340 — Tue, 11 Jun 2024 20:54:32 GMT

I attempted what you asked, but unfortunately, the result was the same as before. I enabled debugging and among the log files, this caught my attention, but I couldn't find a solution online:
MKA-ERR: GigabitEthernet1/0/1: NULL sub-block during get MKA CFG-DEP SB from interface

Re: MACsec: Why is the traffic not encrypted??

Mark Elsen — Wed, 12 Jun 2024 07:06:21 GMT

- Checkout : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe59674

Re: MACsec: Why is the traffic not encrypted??

eric-2340 — Wed, 12 Jun 2024 12:28:26 GMT

on the switches, the "device classifier" is not set. It seems more related to this specific case https://bst.cisco.com/quickview/bug/CSCwh17679 for the error received, but it’s not related to Secure Client 5.0.

MKA-ERR: GigabitEthernet1/0/1: NULL sub-block during get MKA CFG-DEP SB from interface.

MKA-ERR: GigabitEthernet1/0/1: NULL subblock during get linksec configured