Modifying a key group

When modifying a key group, observe the following conditions:

• The encryption or authentication algorithm for a key group cannot be changed if there are any SAs in the key group.

• The active outgoing SA must be removed (deconfigured) before the SPI can be deleted from the SA list in the key group.

• Before the outgoing SA can be deconfigured, the key group must be removed from all services on the node that use the key group.

In the following example, the active outgoing SA is deconfigured, the SAs are removed, and the encryption algorithm is changed. Then the SAs are reconfigured, followed by reconfiguration of the active outgoing SA. The output display shows the new configuration based on those shown in Configuring a key group.

Use the following CLI syntax to modify a key group. The first syntax deconfigures the key group items and the second syntax reconfigures them.

config# group-encryption
        — encryption-keygroup keygroup-id 
            — no active-outbound-sa 
            — no security-association spi spi 
        — exit

config# group-encryption 
        — encryption-keygroup keygroup-id 
            — security-association spi spi authentication-key auth-key encryption-key encrypt-key 
            — esp-encryption-algorithm {aes128|aes256} 
        — exit

config>grp-encryp# encryption-keygroup KG1_secure
    config>grp-encryp>encryp-keygrp# no active-outbound-sa
    config>grp-encryp>encryp-keygrp# no security-association spi 2 
    config>grp-encryp>encryp-keygrp# no security-association spi 6 

config>grp-encryp# encryption-keygroup KG1_secure
    config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes256
    config>grp-encryp>encryp-keygrp# security-association spi 2 authentication-key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-key 0x0123456789012345678901234567890123456789012345678901234567890123 
    config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF [crypto]
    config>grp-encryp>encryp-keygrp# active-outbound-sa 2

The following example displays the commands used to modify a key group. The first example deconfigures the key group items and the second example reconfigures them. The encryption algorithm is changed from 128 to 256, the keys are changed, and the active outbound SA is changed to SPI 2.

domain1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes128
            no security-association spi 2 
            no security-association spi 6 
            no active-outbound-sa
        exit
----------------------------------------------
domain1>config>grp-encryp# 

domain1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes256
            security-association spi 2 authentication-
key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-
key 0x0123456789012345678901234567890123456789012345678901234567890123 
            security-association spi 6 authentication-
key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-
key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF crypto
            active-outbound-sa 2
        exit
----------------------------------------------
domain1>config>grp-encryp#