Some issues.
One:
In AOS, the command:
From the manual:
• Command: mode pre-shared-key ckn <CKN> cak <CAK>
macsec policy "Steinar-MACsec-policy"
mode pre-shared-key ckn "Any 32 byte text"
exit
Without the CAK option works !. Great
Or is the CAK padded up to 64 hexadecimal digits with 0s, and still in use ???
And then the : macsec apply policy (port)
And everything is working AOS switch to AOS switch.
Issue two
From the manual AOS:
• Supports AES-GCM-128 bit Key-length (CAKs/ICKs/KEKs/SAKs).
This makes interoperability not immediately setup to move one end to a CX switch
Since the command has been splinted into two policy's:
macsec policy
and
mka policy.
The macsec policy require a non default setting ( if connection to a AOS)
of the cipher-suite with a nice collection of:
(the default in CX is on off the 256)
• gcm-aes-128 Use AES-128 encryption with Galois/Counter mode
• gcm-aes-256 Use AES-256 encryption with Galois/Counter mode
• gcm-aes-xpn-128 Use AES-128 encryption with Galois/Counter mode and extended packet numbering
• gcm-aes-xpn-256 Use AES-256 encryption with Galois/Counter mode and extended packet numbering
The first one (gcm-aes-128) is "immediately" recognize to be the same at the only one in AOS,
even that the text is swapped.
But then it's get complicated, it still gives you the option to select on or tree more:
macsec policy Steinar-MACsec-policy
cipher-suite gcm-aes-128 gcm-aes-256 gcm-aes-xpn-128 gcm-aes-xpn-256
What is the purpose off that ?? (and somewhat unclear when and what to use the xpn option for)
And for the mka policy it is now required to use the cak !
Switch(config)# mka policy steinar-mka-policy
Switch(config-mka-policy)# pre-shared-key ckn Any32bytetext
% Command incomplete.
But:
Switch(config-mka-policy)# pre-shared-key ckn Any32bytetext cak ciphertext Any64bytetext
(Work)
Meaning any "Old", AOS macsec connection without cak will not connect, and require re-config..
Comments anyone !
------------------------------
Steinar
------------------------------