1

I'm trying to do a simple task with no luck so far. I have two linux hosts communicating using macsec interfaces:

Host1:

[Expert@jaguar_macsec-s01-01:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569ed33d0001 on SA 0 0: PN 123787, state on, key 00000000000000000000000000000000 RXSC: 0050569e00d00001, state on 0: PN 19308, state on, key 00000000000000000000000000000000

Host 2:

[Expert@jaguar_macsec-s01-02:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569e00d00001 on SA 0 0: PN 35356, state on, key 00000000000000000000000000000000 RXSC: 0050569ed33d0001, state on 0: PN 148262, state on, key 00000000000000000000000000000000

In order to change the key, I create a new tx channel and a new rx channel on both ends, then turn off the old ones:

Host 1:

ip macsec add Sync tx sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec add Sync rx sci 0050569e00d00001 sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec set Sync tx sa 1 on ip macsec set Sync rx sci 0050569e00d00001 sa 1 on ip macsec set Sync tx sa 0 off ip macsec set Sync rx sci 0050569e00d00001 sa 0 off [Expert@jaguar_macsec-s01-01:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569ed33d0001 on SA 0 0: PN 155609, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 RXSC: 0050569e00d00001, state on 0: PN 39777, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000

Host 2:

ip macsec add Sync tx sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec add Sync rx sci 0050569ed33d0001 sa 1 pn 1 key 01 81818181818181818181818181818181 ip macsec set Sync tx sa 1 on ip macsec set Sync rx sci 0050569ed33d0001 sa 1 on ip macsec set Sync tx sa 0 off ip macsec set Sync rx sci 0050569ed33d0001 sa 0 off [Expert@jaguar_macsec-s01-02:0]# ip macsec show 11: Sync: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off cipher suite: GCM-AES-128, using ICV length 16 TXSC: 0050569e00d00001 on SA 0 0: PN 36370, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000 RXSC: 0050569ed33d0001, state on 0: PN 149509, state off, key 00000000000000000000000000000000 1: PN 1, state on, key 01000000000000000000000000000000

As can be seen, even though I turned off the old channels, I still can't get the new ones to work - the PN (packet number) stays at 1, means no packets have been sent or received using these channels. Deleting the old channels completely didn't help either. I couldn't find any documentation that explains how this procedure can be done correctly. Any advice would be greatly appreciated.

Improve this question

    0

    Reset to default

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.