All SAs configured in a key group share the same encryption algorithm and the same authentication algorithm. The size and values required by a particular key depend on the requirements of the algorithms selected (see lists below). One encryption algorithm and one authentication algorithm must be selected per key group.
Encryption algorithms available per key group include:
AES128 (a 128-bit key, requiring a 32-digit ASCII hexadecimal string)
AES256 (a 256-bit key, requiring a 64-digit ASCII hexadecimal string)
Authentication algorithms available per key group include:
HMAC-SHA-256 (a 256-bit key, requiring a 64-digit ASCII hexadecimal string)
HMAC-SHA-512 (a 512-bit key, requiring a 128-digit ASCII hexadecimal string)
Encryption and authentication strengths can be mixed depending on the requirements of the application. For example, 256-bit strength encryption can be used with 512-bit strength authentication.
The configured algorithms cannot be changed when there is an existing SA configured for the key group. All SAs in a key group must be deleted before a key group algorithm can be modified.
Key values are not visible in CLI or retrievable using SNMP. Each node calculates a 32-bit CRC checksum for the keys configured against the SPI. The CRC can be displayed in the CLI or read by SNMP. The purpose of the CRC is to provide a tool to check consistency between nodes, thereby verifying that each node is set with the same key values while keeping the actual key values hidden.