cts manual with gcm-aes-256

Bthene · ‎09-13-2017

Trying to get cts manual to work between two switches with GCM-AES-256

How do I even change from GCM-AES-128 to GCM-AES-256 ?

listed below as "supported", can't find any usefull information about this topic

WS-C3650-24TS 16.3.3 ipbasek9

interface GigabitEthernet1/1/2
 description Trunk
 switchport trunk native vlan 3
 switchport mode trunk
 switchport nonegotiate
 cts manual
  no propagate sgt
  sap pmk 01234 mode-list gcm-encrypt


Switch#sh macsec int g1/1/2
 MACsec is enabled
  Replay protect : enabled
  Replay window : 0
  Include SCI : yes
  Use ES Enable : no
  Use SCB Enable : no
  Admin Pt2Pt MAC : forceTrue(1)
  Pt2Pt MAC Operational : no
  Cipher : GCM-AES-128
  Confidentiality Offset : 0

 Capabilities
  ICV length : 16
  Data length change supported: yes
  Max. Rx SA : 16
  Max. Tx SA : 16
  Max. Rx SC : 8
  Max. Tx SC : 8
  Validate Frames : strict
  PN threshold notification support : Yes
  Ciphers supported : GCM-AES-128
                      GCM-AES-256

 Transmit Secure Channels
  SCI : 58AC78D7EE1A0000
  SC state : notInUse(2)
   Elapsed time : 00:06:55
   Start time : 7w0d
   Current AN: 0
   Previous AN: -
   Next PN: 0
   SA State: notInUse(2)
   Confidentiality : no
   SAK Unchanged : no
   SA Create time : 00:30:44
   SA Start time : 7w0d
   SC Statistics
    Auth-only Pkts : 0
    Auth-only Bytes : 0
    Encrypt Pkts : 0
    Encrypt Bytes : 0
   SA Statistics
    Auth-only Pkts : 0
    Encrypt Pkts : 1092

  Port Statistics
   Egress untag pkts  0
   Egress long pkts  1098379227928

 Receive Secure Channels
  SCI : 74A02F8FA2810000
  SC state : notInUse(2)
   Elapsed time : 00:06:58
   Start time : 7w0d
   Current AN: 0
   Previous AN: -
   Next PN: 0
   RX SA Count: 0
   SA State: notInUse(2)
   SAK Unchanged : no
   SA Create time : 00:30:44
   SA Start time : 7w0d
   SC Statistics
    Notvalid pkts 0
    Invalid pkts 0
    Valid pkts 0
    Valid bytes 0
    Late pkts 0
    Uncheck pkts 0
    Delay pkts 0
    UnusedSA pkts 0
    NousingSA pkts 0
    Decrypt bytes 0
   SA Statistics
    Notvalid pkts 0
    Invalid pkts 0
    Valid pkts 148
    UnusedSA pkts 0
    NousingSA pkts 0

  Port Statistics
   Ingress untag pkts  1099150680408
   Ingress notag pkts  21
   Ingress badtag pkts  0
   Ingress unknownSCI pkts  0
   Ingress noSCI pkts  0
   Ingress overrun pkts  1098492218128


Switch#sh cts int g1/1/2
Global Dot1x feature is Disabled
Interface GigabitEthernet1/1/2:
    CTS is enabled, mode:    MANUAL
    IFC state:               OPEN
    Interface Active for 00:16:10.232
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: "sap"
    Authorization Status:    NOT APPLICABLE
    SAP Status:              SUCCEEDED
        Version:             2
        Configured pairwise ciphers:
            gcm-encrypt

        Replay protection:      enabled
        Replay protection mode: STRICT

        Selected cipher:        gcm-encrypt

    Propagate SGT:           Disabled
    Cache Info:
        Expiration            : N/A
        Cache applied to link : NONE

    Statistics:
        authc success:              0
        authc reject:               0
        authc failure:              0
        authc no response:          0
        authc logoff:               0
        sap success:                3
        sap fail:                   0
        authz success:              0
        authz fail:                 0
        port auth fail:             0

    L3 IPM:   disabled.

    CTS sgt-caching Ingress : Disabled

    CTS sgt-caching Egress  : Disabled

BCKWDS · ‎01-15-2018

Did anyone find an a solution?

Bthene · ‎01-15-2018

Solved by using IOS 16.6.2

bernd.hertler · ‎08-17-2018

Hello guys,

I use IOS 16.9.1.

How can I activate gcm-aes-256 ?

regumbala · ‎08-22-2018

Example:

!
key chain MS-KC macsec
 key 01
   cryptographic-algorithm aes-256-cmac
key-string ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD
!
mka policy your-pol
 delay-protection
 macsec-cipher-suite gcm-aes-256
 confidentiality-offset 30
!
interface X/X/X
 macsec network-link
 mka policy your-pol
 mka pre-shared-key key-chain MS-KC
!

Beware of this:

Prior to Cisco IOS XE Fuji 16.8.1a, should-secure was supported for MKA and SAP. With should-secure enabled, if the peer is configured for MACsec, the data traffic is encrypted, otherwise it is sent in clear text. Starting with Cisco IOS XE Fuji 16.8.1a, must-secure support is enabled on both the ingress and the egress. Must-secure is supported for MKA and SAP. With must-secure enabled, only EAPoL traffic will not be encrypted. The rest of the traffic will be encrypted. Unencrypted packets are dropped.

bernd.hertler · ‎09-18-2018

Hello Szabolcs Hollo,
I've configured it and it works perfectly.
Thanks for your help.
with kind regards,
Bernd

bhaertel · ‎11-14-2018

Hi Szabolcs,

I also tested your solution with IOS XE 16.6.4 and it seems to work fine.

Thanks, Benjamin