cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
986
Views
0
Helpful
10
Replies

MACsec: Why is the traffic not encrypted??

eric-2340
Level 1
Level 1

Hello everyone, I would like to ask for help regarding the configuration of two 3650 switches, one with IOS Software Denali Version 16.3.8prd2, and one with Cisco IOS Software Everest Version 16.6.6. The issue I'm encountering is that once the configuration is completed and MACsec is functioning on the two devices, the traffic is not encrypted. In fact, when sniffing with Wireshark, I see the traffic generated by the two g1/0/1 ports in clear text.

The MACsec I want to set up does not use authentication servers.

sho license feature-version (SW - IOS Software Denali Version 16.3.8prd2)
Feature Name Version
----------------------------
ipservices 1.0
ipservices eval 1.0
ipbase 1.0
ipbase eval 1.0
lanbase 1.0
apcount eval 1.0
apcount base 1.0
apcount adder      1.0

 

sho license feature-version (SW - Cisco IOS Software Everest Version 16.6.6)
Feature Name Version
---------------------------------------
ipservices 1.1
ipservices eval 1.1
ipbase 1.1
ipbase eval 1.1
lanbase       1.1

Let me list the configuration parameters that I have set:

 SW1 e SW2

show key chain

Key-chain MKA-KC:

    MacSEC key chain

    key 0100000000000000000000000000000000000000000000000000000000000000 -- text "1234567890123456789012345678901212385423694172681365247823957412"

        cryptographic-algorithm: aes-256-cmac

        lifetime (00:00:00 UTC Jan 1 1993) - (infinite) [valid now]

 

mka policy MKA-POLICY

 delay-protection

 macsec-cipher-suite gcm-aes-128 gcm-aes-256

 sak-rekey on-live-peer-loss

 

 

interface GigabitEthernet1/0/1

 switchport trunk allowed vlan xx

 switchport mode trunk

 macsec network-link

 mka policy MKA-POLICY

 mka pre-shared-key key-chain MKA-KC

 

show mka policy

 

MKA Policy Summary...

 

Codes : CO - Confidentiality Offset, ICVIND - Include ICV-Indicator,

        SAKR OLPL - SAK-Rekey On-Live-Peer-Loss,

        DP - Delay Protect, KS Prio - Key Server Priority

 

Policy            KS   DP    CO SAKR  ICVIND Cipher          Interfaces

Name              Prio          OLPL         Suite(s)        Applied

===============================================================================

*DEFAULT POLICY*  0    FALSE 0  FALSE TRUE   GCM-AES-128

 

MKA-POLICY        0    TRUE  0  TRUE  TRUE   GCM-AES-128     Gi1/0/1

                                             GCM-AES-256

 

sho macsec interface gigabitEthernet 1/0/1

 MACsec is enabled

  Replay protect : enabled

  Replay window : 0

  Include SCI : yes

  Use ES Enable : no

  Use SCB Enable : no

  Admin Pt2Pt MAC : forceTrue(1)

  Pt2Pt MAC Operational : no

  Cipher : GCM-AES-128

  Confidentiality Offset : 0

 

 Capabilities

  ICV length : 16

  Data length change supported: yes

  Max. Rx SA : 16

  Max. Tx SA : 16

  Max. Rx SC : 8

  Max. Tx SC : 8

  Validate Frames : strict

  PN threshold notification support : Yes

  Ciphers supported : GCM-AES-128

                      GCM-AES-256

 

 Transmit Secure Channels

  SCI : C4F7D5ACC7810007

  SC state : notInUse(2)

   Elapsed time : 00:02:10

   Start time : 7w0d

   Current AN: 1

   Previous AN: -

   Next PN: 0

   SA State: notInUse(2)

   Confidentiality : no

   SAK Unchanged : no

   SA Create time : 04:44:14

   SA Start time : 7w0d

   SC Statistics

    Auth-only Pkts : 0

    Auth-only Bytes : 0

    Encrypt Pkts : 0

    Encrypt Bytes : 0

   SA Statistics

    Auth-only Pkts : 0

    Encrypt Pkts : 20

 

  Port Statistics

   Egress untag pkts  4

   Egress long pkts  1098315137384

 

 Receive Secure Channels

  SCI : 00FD2217DA810007

  SC state : notInUse(2)

   Elapsed time : 00:02:10

   Start time : 7w0d

   Current AN: 1

   Previous AN: -

   Next PN: 87

   RX SA Count: 0

   SA State: notInUse(2)

   SAK Unchanged : no

   SA Create time : 04:44:13

   SA Start time : 7w0d

   SC Statistics

    Notvalid pkts 0

    Invalid pkts 0

    Valid pkts 0

    Valid bytes 0

    Late pkts 0

    Uncheck pkts 0

    Delay pkts 0

    UnusedSA pkts 0

    NousingSA pkts 0

    Decrypt bytes 0

   SA Statistics

    Notvalid pkts 0

    Invalid pkts 0

    Valid pkts 86

    UnusedSA pkts 0

    NousingSA pkts 0

 

  Port Statistics

   Ingress untag pkts  1099082953256

   Ingress notag pkts  8531

   Ingress badtag pkts  0

   Ingress unknownSCI pkts  0

   Ingress noSCI pkts  2

   Ingress overrun pkts  1098423581264

 

 

show macsec summary

Interface                     Transmit SC         Receive SC

GigabitEthernet1/0/1               1                   1

 

sho mka sessions interface g1/0/1 detail

 

MKA Detailed Status for MKA Session

===================================

Status: SECURED - Secured MKA Session with MACsec

 

Local Tx-SCI............. c4f7.d5ac.xxxx/0007

Interface MAC Address.... c4f7.d5ac.xxxx

MKA Port Identifier...... 7

Interface Name........... GigabitEthernet1/0/1

Audit Session ID.........

CAK Name (CKN)........... 0100000000000000000000000000000000000000000000000000000000000000

Member Identifier (MI)... F1E6DDBAB22A87915F0B7E20

Message Number (MN)...... 945

EAP Role................. NA

Key Server............... NO

MKA Cipher Suite......... AES-256-CMAC

 

Latest SAK Status........ Rx & Tx

Latest SAK AN............ 1

Latest SAK KI (KN)....... 4E4F014EF97A16A0A72D289A00000012 (18)

Old SAK Status........... No Rx, No Tx

Old SAK AN............... 0

Old SAK KI (KN).......... RETIRED (0)

 

SAK Transmit Wait Time... 0s (Not waiting for any peers to respond)

SAK Retire Time.......... 0s (No Old SAK to retire)

 

MKA Policy Name.......... MKA-POLICY

Key Server Priority...... 0

Delay Protection......... YES

Delay Protection Timer.......... 0s

 

Confidentiality Offset... 0

Algorithm Agility........ 80C201

SAK Rekey On Live Peer Loss........ YES

SAK Cipher Suite......... 0080C20001000001 (GCM-AES-128)

MACsec Capability........ 3 (MACsec Integrity, Confidentiality, & Offset)

MACsec Desired........... YES

 

# of MACsec Capable Live Peers............ 1

# of MACsec Capable Live Peers Responded.. 0

 

Live Peers List:

  MI                        MN          Rx-SCI (Peer)        KS Priority

  ----------------------------------------------------------------------

  4E4F014EF97A16A0A72D289A  1065        00fd.2217.xxxx/0007   0

 

Potential Peers List:

  MI                        MN          Rx-SCI (Peer)        KS Priority

  ----------------------------------------------------------------------

 

 

show mka sessions

 

Total MKA Sessions....... 1

      Secured Sessions... 1

      Pending Sessions... 0

 

====================================================================================================

Interface      Local-TxSCI         Policy-Name      Inherited         Key-Server

Port-ID        Peer-RxSCI          MACsec-Peers     Status            CKN

====================================================================================================

Gi1/0/1        c4f7.d5ac.xxxx/0007 MKA-POLICY       NO                NO

7              00fd.2217.xxxx/0007 1                Secured          0100000000000000000000000000000000000000000000000000000000000000

10 Replies 10

marce1000
VIP
VIP

 

 - Checkout this document and or have a look at the examples : https://www.wiresandwi.fi/blog/cisco-macsec-configuration-using-pre-shared-key-between-ios-xe-and-ios-switch

  M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thank you for the advice, marce1000. The referenced document was an example I followed. In fact, the configuration seems correct, which is why I don't understand why, when sniffing the traffic with Wireshark through a monitor port, I see unencrypted traffic. I don't know if there are additional adjustments to configure or if the two switches are not enabled for the Macsec function.

 

      - Post output from : show macsec interface GigabitEthernet1/0/1

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

By checking the post you recommended with my output, I can confirm that:
Macsec is enabled;
Replay protect: enabled;
Cipher: GCM-AES-128;
Ciphers supported: GCM-AES-128,
GCM-AES-256.


Detail:
show macsec interface gigabitEthernet 1/0/1
MACsec is enabled
Replay protect : enable
Replay window : 0
Include SCI : yes
Use ES Enable : no
Use SCB Enable : no
Admin Pt2Pt MAC : forceTrue(1)
Pt2Pt MAC Operational : no
Cipher : GCM-AES-128
Confidentiality Offset : 0

Capabilities
ICV length : 16
Data length change supported: yes
Max. Rx SA : 16
Max. Tx SA : 16
Max. Rx SC : 8
Max. Tx SC : 8
Validate Frames : strict
PN threshold notification support : Yes
Ciphers supported : GCM-AES-128
GCM-AES-256



 

  - When I looked it up in the feature navigator apparently you need software version 16.11.1 at minimum ; 
    check attachment , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thank you, marce1000, for your availability. I saw your attachment, and scrolling down the list, previous versions prior to 16.11.1 are also listed.

For configurations, I also consulted the Cisco website referencing the switch and IOS I have available, and I am attaching the link.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-6/configuration_guide/sec/b_166_sec_3650_cg/macsec_encryption.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/16-3/configuration_guide/b_163_consolidated_3650_cg/b_163_consolidated_3650_cg_chapter_01010111.html

Currently, however, after following the various guides, I still can't understand why the traffic I see with Wireshark is not encrypted.

 

                 - Have a try with 16.11.x anyway ,

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

I attempted what you asked, but unfortunately, the result was the same as before. I enabled debugging and among the log files, this caught my attention, but I couldn't find a solution online:
MKA-ERR: GigabitEthernet1/0/1: NULL sub-block during get MKA CFG-DEP SB from interface

 

          - Checkout : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwe59674

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

on the switches, the "device classifier" is not set.  It seems more related to this specific case https://bst.cisco.com/quickview/bug/CSCwh17679  for the error received, but itā€™s not related to Secure Client 5.0.

MKA-ERR: GigabitEthernet1/0/1: NULL sub-block during get MKA CFG-DEP SB from interface.

MKA-ERR: GigabitEthernet1/0/1: NULL subblock during get linksec configured

 

Review Cisco Networking for a $25 gift card