Configuring a key group

To configure a key group, set the following parameters:

• encryption and authentication algorithms

• security association

• active outbound SA

The authentication and encapsulation keys must contain the exact number of hexadecimal characters required by the algorithm used. For example, using sha256 requires 64 hexadecimal characters.

Keys are entered in clear text using the security-association command. Once entered, they are never displayed in their original, clear text form. Keys are displayed in an encrypted form, which is indicated by the system-appended crypto keyword when an info command is run. The NGE node also includes the crypto keyword with an admin>save operation so that the NGE node can decrypt the keys when reloading a configuration database. For security reasons, keys encrypted on one node are not usable on other nodes (that is, keys are not exchangeable between nodes).

Use the following CLI syntax to configure key group options:

config# group-encryption 
        — encryption-keygroup keygroup-id [create]
            — description description-string
            — esp-auth-algorithm {sha256|sha512}
            — esp-encryption-algorithm {aes128|aes256} 
            — keygroup-name keygroup-name
            — security-association spi spi authentication-key authentication-key encryption-key encryption-key [crypto]
            — active-outbound-sa spi

The following example displays key group command usage:

config>grp-encryp# encryption-keygroup KG1_secure
    config>grp-encryp>encryp-keygrp# description Main_secure_KG
    config>grp-encryp>encryp-keygrp# esp-auth-algorithm sha256
    config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes128
    config>grp-encryp>encryp-keygrp# keygroup-name KG1_secure
    config>grp-encryp>encryp-keygrp# security-association spi 2 authentication-key 0x88433A6DB4FA4F8A490EF661CBE69F010BFAE9C2784BED7059E5ADAAB1A225C6 encryption-key 0x63DCDD501B66F85441E4A55B597DA617 
    config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x88433A6DB4FA4F8A490EF661CBE69F010BFAE9C2784BED7059E5ADAAB1A225C5 encryption-key 0x63DCDD501B66F85441E4A55B597DA616 
    config>grp-encryp>encryp-keygrp# active-outbound-sa 6 ]

The following example displays the key group configuration:

domain1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes128
            security-association spi 2 authentication-
key 0x78d9e66a6669bd17454fe3184 ee161315b67adb8912949ceda20b6b741eb63604abe17de478e2
4723a7d1d5f7b6ffafc encryption-
key 0x8d51db8f826239f672457442cecc73665f52cbe00aedfb4eda6166001247b4eb crypto
            security-association spi 6 authentication-key 0x7fb9fc5553630924ee29973f
7b0a48f801b0ae1cb38b7666045274476a268e8d694ab6aa7ea050b7a43cdf8d80977625 encryption-
key 0x72bd9b87841dbebcb2d114031367ab5d9153a41b7c79c8f889ac56b950d8fffa crypto
            active-outbound-sa 6
        exit
----------------------------------------------
domain1>config>grp-encryp#