Gracefully enable encryption steps

Prerequisites

To use a keychain for MCS IPsec, the keychain aes-128-gcm-16 entry algorithm must be configured.

Use the following steps to gracefully enable encryption. Chassis A and chassis B must both run releases that support the transport-encryption feature. Chassis A is active and chassis B is standby.

Procedure

On chassis B, change the configuration to add MCS encryption, using a keychain with two bidirectional entries in the configure system security keychain direction bi entry.
- For entry-1, use the following values:
  - For entry-id, use null-key.
  - For begin-time, use now.
  - For tolerance, use forever.
- For entry-2, use the following values:
  - For algorithm, use aes-128-gcm-16.
  - For begin-time: t1, add enough time to complete the next step (for example, if the current time is 2019/4/18 10:00 UTC, then add one hour to complete step 2, begin-time 2019/4/18 11:00 UTC).
Because both chassis A and chassis B are still using clear transport, A can successfully synchronize states to B.
On chassis A, change the configuration to add MCS encryption, using a keychain with two bidirectional entries in the configure system security keychain direction bi context:
- For entry-1, use the following values:
  - For entry-id, use null-key.
  - For begin-time, use now.
  - For tolerance, use forever.
- For entry-2, use the following values:
  - For algorithm, use aes-128-gcm-16.
  - For begin-time: t1, use the same value as in step 1 , begin-time 2019/4/18 11:00:00 UTC.
Because both A and B can receive either clear or encrypted states, synchronization is successful.
After t1, remove entry-1 from both chassis using the configure system security keychain direction bi no entry 1 command

What to do next

For an example configuration, see Configuring MCS encryption