NGE management tasks
This section describes NGE management tasks.
Modifying a key group
When modifying a key group, observe the following conditions:
The encryption or authentication algorithm for a key group cannot be changed if there are any SAs in the key group.
The active outgoing SA must be removed (deconfigured) before the SPI can be deleted from the SA list in the key group.
Before the outgoing SA can be deconfigured, the key group must be removed from all services on the node that use the key group.
In the following example, the active outgoing SA is deconfigured, the SAs are removed, and the encryption algorithm is changed. Then the SAs are reconfigured, followed by reconfiguration of the active outgoing SA. The output display shows the new configuration based on those shown in Configuring a key group.
Use the following CLI syntax to modify a key group. The first syntax deconfigures the key group items and the second syntax reconfigures them.
config# group-encryption
— encryption-keygroup keygroup-id
— no active-outbound-sa
— no security-association spi spi
— exit
config# group-encryption
— encryption-keygroup keygroup-id
— security-association spi spi authentication-key auth-key encryption-key encrypt-key
— esp-encryption-algorithm {aes128|aes256}
— exit
config>grp-encryp# encryption-keygroup KG1_secure
config>grp-encryp>encryp-keygrp# no active-outbound-sa
config>grp-encryp>encryp-keygrp# no security-association spi 2
config>grp-encryp>encryp-keygrp# no security-association spi 6
config>grp-encryp# encryption-keygroup KG1_secure
config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes256
config>grp-encryp>encryp-keygrp# security-association spi 2 authentication-key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-key 0x0123456789012345678901234567890123456789012345678901234567890123
config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF [crypto]
config>grp-encryp>encryp-keygrp# active-outbound-sa 2
The following example displays the commands used to modify a key group. The first example deconfigures the key group items and the second example reconfigures them. The encryption algorithm is changed from 128 to 256, the keys are changed, and the active outbound SA is changed to SPI 2.
domain1>config>grp-encryp# info detail
----------------------------------------------
group-encryption-label 34
encryption-keygroup 2 create
description "Main_secure_KG"
keygroup-name "KG1_secure"
esp-auth-algorithm sha256
esp-encryption-algorithm aes128
no security-association spi 2
no security-association spi 6
no active-outbound-sa
exit
----------------------------------------------
domain1>config>grp-encryp#
domain1>config>grp-encryp# info detail
----------------------------------------------
group-encryption-label 34
encryption-keygroup 2 create
description "Main_secure_KG"
keygroup-name "KG1_secure"
esp-auth-algorithm sha256
esp-encryption-algorithm aes256
security-association spi 2 authentication-
key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-
key 0x0123456789012345678901234567890123456789012345678901234567890123
security-association spi 6 authentication-
key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-
key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF crypto
active-outbound-sa 2
exit
----------------------------------------------
domain1>config>grp-encryp#
Removing a key group
Both inbound and outbound direction key groups must be deconfigured before the key group can be removed (unbound). The inbound and outbound key groups must be deconfigured individually. Specifying a keygroup-id is optional.
Removing a key group from an SDP, VPRN service, or PW template
Use the following CLI syntax to remove a key group from an SDP, VPRN service, or PW template:
tools>perform>service>eval-pw-template>allow-service-impact
config>service# sdp sdp-id
— no encryption-keygroup direction {inbound | outbound}
config>service# vprn service-id
— no encryption-keygroup direction {inbound | outbound}
config>service# pw-template policy-id auto-gre-sdp
— no encryption-keygroup direction {inbound | outbound}
The following examples display a key group removed from an SDP, VPRN service, or PW template:
config>service# sdp 61
config>service>sdp# no encryption-keygroup direction inbound
config>service>sdp# no encryption-keygroup direction outbound
config>service# vprn 22
config>service>vprn# no encryption-keygroup direction inbound
config>service>vprn# no encryption-keygroup direction outbound
config>service# pw-template 12
config>service>pw-template# no encryption-keygroup direction inbound
config>service>pw-template# no encryption-keygroup direction outbound
tools>perform>service>eval-pw-template>allow-service-impact
The following example shows that the key group configuration has been removed from an SDP or a VPRN service.
domain1>config>service# info
----------------------------------------------
...
sdp 61 create
shutdown
far-end 10.10.10.10
exit
exit
...
...
vprn 22 customer 1 create
shutdown
exit
...
----------------------------------------------
domain1>config>service# info
Changing key groups
To change a key group requires a removal, a change, and an installation of the key group.
- Remove the inbound direction key group.
- Change the outbound direction key group.
- Install the new inbound direction key group.
Changing the key group for an SDP, VPRN service, or PW template
Changing key groups for an SDP, VPRN service, or PW template must be performed on all nodes for the service.
The following CLI syntax changes the key group on an SDP. The syntax for a VPRN service or PW template is similar.
tools>perform>service>eval-pw-template>allow-service-impact
In the example below, the inbound and outbound key groups are changed from key group 4 to key group 6.
config>service# sdp sdp-id
— no encryption-keygroup direction {inbound|outbound}
config>service# sdp 61
config>service>sdp# no encryption-keygroup direction inbound
config>service>sdp# encryption-keygroup 6 direction outbound
config>service>sdp# encryption-keygroup 6 direction inbound
The following example shows that the key group configuration has been changed for the SDP or the VPRN service.
domain1>config>service# info
----------------------------------------------
...
sdp 61 create
shutdown
far-end 10.10.10.10
exit
encryption-keygroup 6 direction inbound
encryption-keygroup 6 direction outbound
exit
...
----------------------------------------------
domain1>config>service# info
Deleting a key group from an NGE node
To delete a key group from an NGE node, the key group must be removed (unbound) from all SDPs, VPRN services, PW templates, and router interfaces that use it.
tools>perform>service>eval-pw-template>allow-service-impact
To locate the key group bindings, use the CLI command show>group-encryption> encryption-keygroup keygroup-id.
Use the following CLI syntax to delete a key group:
config# group-encryption
— no encryption-keygroup keygroup-id
config>grp-encryp# no encryption-keygroup 8