cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2440
Views
10
Helpful
6
Replies

cts manual with gcm-aes-256

Bthene
Level 1
Level 1

Trying to get cts manual to work between two switches with GCM-AES-256

 

How do I even change from GCM-AES-128 to GCM-AES-256 ?

listed below as "supported", can't find any usefull information about this topic

WS-C3650-24TS      16.3.3   ipbasek9

 

 

interface GigabitEthernet1/1/2
 description Trunk
 switchport trunk native vlan 3
 switchport mode trunk
 switchport nonegotiate
 cts manual
  no propagate sgt
  sap pmk 01234 mode-list gcm-encrypt


Switch#sh macsec int g1/1/2
 MACsec is enabled
  Replay protect : enabled
  Replay window : 0
  Include SCI : yes
  Use ES Enable : no
  Use SCB Enable : no
  Admin Pt2Pt MAC : forceTrue(1)
  Pt2Pt MAC Operational : no
  Cipher : GCM-AES-128
  Confidentiality Offset : 0

 Capabilities
  ICV length : 16
  Data length change supported: yes
  Max. Rx SA : 16
  Max. Tx SA : 16
  Max. Rx SC : 8
  Max. Tx SC : 8
  Validate Frames : strict
  PN threshold notification support : Yes
  Ciphers supported : GCM-AES-128
                      GCM-AES-256

 Transmit Secure Channels
  SCI : 58AC78D7EE1A0000
  SC state : notInUse(2)
   Elapsed time : 00:06:55
   Start time : 7w0d
   Current AN: 0
   Previous AN: -
   Next PN: 0
   SA State: notInUse(2)
   Confidentiality : no
   SAK Unchanged : no
   SA Create time : 00:30:44
   SA Start time : 7w0d
   SC Statistics
    Auth-only Pkts : 0
    Auth-only Bytes : 0
    Encrypt Pkts : 0
    Encrypt Bytes : 0
   SA Statistics
    Auth-only Pkts : 0
    Encrypt Pkts : 1092

  Port Statistics
   Egress untag pkts  0
   Egress long pkts  1098379227928

 Receive Secure Channels
  SCI : 74A02F8FA2810000
  SC state : notInUse(2)
   Elapsed time : 00:06:58
   Start time : 7w0d
   Current AN: 0
   Previous AN: -
   Next PN: 0
   RX SA Count: 0
   SA State: notInUse(2)
   SAK Unchanged : no
   SA Create time : 00:30:44
   SA Start time : 7w0d
   SC Statistics
    Notvalid pkts 0
    Invalid pkts 0
    Valid pkts 0
    Valid bytes 0
    Late pkts 0
    Uncheck pkts 0
    Delay pkts 0
    UnusedSA pkts 0
    NousingSA pkts 0
    Decrypt bytes 0
   SA Statistics
    Notvalid pkts 0
    Invalid pkts 0
    Valid pkts 148
    UnusedSA pkts 0
    NousingSA pkts 0

  Port Statistics
   Ingress untag pkts  1099150680408
   Ingress notag pkts  21
   Ingress badtag pkts  0
   Ingress unknownSCI pkts  0
   Ingress noSCI pkts  0
   Ingress overrun pkts  1098492218128


Switch#sh cts int g1/1/2
Global Dot1x feature is Disabled
Interface GigabitEthernet1/1/2:
    CTS is enabled, mode:    MANUAL
    IFC state:               OPEN
    Interface Active for 00:16:10.232
    Authentication Status:   NOT APPLICABLE
        Peer identity:       "unknown"
        Peer's advertised capabilities: "sap"
    Authorization Status:    NOT APPLICABLE
    SAP Status:              SUCCEEDED
        Version:             2
        Configured pairwise ciphers:
            gcm-encrypt

        Replay protection:      enabled
        Replay protection mode: STRICT

        Selected cipher:        gcm-encrypt

    Propagate SGT:           Disabled
    Cache Info:
        Expiration            : N/A
        Cache applied to link : NONE

    Statistics:
        authc success:              0
        authc reject:               0
        authc failure:              0
        authc no response:          0
        authc logoff:               0
        sap success:                3
        sap fail:                   0
        authz success:              0
        authz fail:                 0
        port auth fail:             0

    L3 IPM:   disabled.

    CTS sgt-caching Ingress : Disabled

    CTS sgt-caching Egress  : Disabled

 

 

6 Replies 6

BCKWDS
Level 1
Level 1

Did anyone find an a solution?

 

Solved by using IOS 16.6.2

Hello guys,

 

I use IOS 16.9.1.

How can I activate gcm-aes-256 ? 

 

Example:

!
key chain MS-KC macsec
 key 01
   cryptographic-algorithm aes-256-cmac
key-string ABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCDABCD
!
mka policy your-pol
 delay-protection
 macsec-cipher-suite gcm-aes-256
 confidentiality-offset 30
!
interface X/X/X
 macsec network-link
 mka policy your-pol
 mka pre-shared-key key-chain MS-KC
!

Beware of this:

Prior to Cisco IOS XE Fuji 16.8.1a, should-secure was supported for MKA and SAP. With should-secure enabled, if the peer is configured for MACsec, the data traffic is encrypted, otherwise it is sent in clear text. Starting with Cisco IOS XE Fuji 16.8.1a, must-secure support is enabled on both the ingress and the egress. Must-secure is supported for MKA and SAP. With must-secure enabled, only EAPoL traffic will not be encrypted. The rest of the traffic will be encrypted. Unencrypted packets are dropped.

Hello Szabolcs Hollo,
I've configured it and it works perfectly.
Thanks for your help.
with kind regards,
Bernd

Hi Szabolcs,

 

I also tested your solution with IOS XE 16.6.4 and it seems to work fine.

 

Thanks, Benjamin

Review Cisco Networking for a $25 gift card