NGE management tasks

This section describes NGE management tasks.

Modifying a key group

When modifying a key group, observe the following conditions:

  • The encryption or authentication algorithm for a key group cannot be changed if there are any SAs in the key group.

  • The active outgoing SA must be removed (deconfigured) before the SPI can be deleted from the SA list in the key group.

  • Before the outgoing SA can be deconfigured, the key group must be removed from all services on the node that use the key group.

In the following example, the active outgoing SA is deconfigured, the SAs are removed, and the encryption algorithm is changed. Then the SAs are reconfigured, followed by reconfiguration of the active outgoing SA. The output display shows the new configuration based on those shown in Configuring a key group.

Use the following CLI syntax to modify a key group. The first syntax deconfigures the key group items and the second syntax reconfigures them.

config# group-encryption
        — encryption-keygroup keygroup-id 
            — no active-outbound-sa 
            — no security-association spi spi 
        — exit
config# group-encryption 
        — encryption-keygroup keygroup-id 
            — security-association spi spi authentication-key auth-key encryption-key encrypt-key 
            — esp-encryption-algorithm {aes128|aes256} 
        — exit
config>grp-encryp# encryption-keygroup KG1_secure
    config>grp-encryp>encryp-keygrp# no active-outbound-sa
    config>grp-encryp>encryp-keygrp# no security-association spi 2 
    config>grp-encryp>encryp-keygrp# no security-association spi 6 
config>grp-encryp# encryption-keygroup KG1_secure
    config>grp-encryp>encryp-keygrp# esp-encryption-algorithm aes256
    config>grp-encryp>encryp-keygrp# security-association spi 2 authentication-key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-key 0x0123456789012345678901234567890123456789012345678901234567890123 
    config>grp-encryp>encryp-keygrp# security-association spi 6 authentication-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF [crypto]
    config>grp-encryp>encryp-keygrp# active-outbound-sa 2

The following example displays the commands used to modify a key group. The first example deconfigures the key group items and the second example reconfigures them. The encryption algorithm is changed from 128 to 256, the keys are changed, and the active outbound SA is changed to SPI 2.

domain1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes128
            no security-association spi 2 
            no security-association spi 6 
            no active-outbound-sa
        exit
----------------------------------------------
domain1>config>grp-encryp# 
domain1>config>grp-encryp# info detail
----------------------------------------------
        group-encryption-label 34
        encryption-keygroup 2 create
            description "Main_secure_KG"
            keygroup-name "KG1_secure"
            esp-auth-algorithm sha256
            esp-encryption-algorithm aes256
            security-association spi 2 authentication-
key 0x0123456789012345678901234567890123456789012345678901234567890123 encryption-
key 0x0123456789012345678901234567890123456789012345678901234567890123 
            security-association spi 6 authentication-
key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF encryption-
key 0x0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF crypto
            active-outbound-sa 2
        exit
----------------------------------------------
domain1>config>grp-encryp# 

Removing a key group

Both inbound and outbound direction key groups must be deconfigured before the key group can be removed (unbound). The inbound and outbound key groups must be deconfigured individually. Specifying a keygroup-id is optional.

Removing a key group from an SDP, VPRN service, or PW template

Use the following CLI syntax to remove a key group from an SDP, VPRN service, or PW template:

Note: After removing a key group to the PW template, the following tools command must be executed:

tools>perform>service>eval-pw-template>allow-service-impact

config>service# sdp sdp-id
        — no encryption-keygroup direction {inbound | outbound}
config>service# vprn service-id 
        — no encryption-keygroup direction {inbound | outbound} 
config>service# pw-template policy-id auto-gre-sdp 
        — no encryption-keygroup direction {inbound | outbound} 

The following examples display a key group removed from an SDP, VPRN service, or PW template:

config>service# sdp 61
    config>service>sdp# no encryption-keygroup direction inbound
    config>service>sdp# no encryption-keygroup direction outbound
config>service# vprn 22 
    config>service>vprn# no encryption-keygroup direction inbound
    config>service>vprn# no encryption-keygroup direction outbound
config>service# pw-template 12
    config>service>pw-template# no encryption-keygroup direction inbound
    config>service>pw-template# no encryption-keygroup direction outbound
    tools>perform>service>eval-pw-template>allow-service-impact

The following example shows that the key group configuration has been removed from an SDP or a VPRN service.

domain1>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
        exit
...
...
        vprn 22 customer 1 create
            shutdown
        exit
...
----------------------------------------------
domain1>config>service# info 

Changing key groups

To change a key group requires a removal, a change, and an installation of the key group.

  1. Remove the inbound direction key group.
  2. Change the outbound direction key group.
  3. Install the new inbound direction key group.

Changing the key group for an SDP, VPRN service, or PW template

Changing key groups for an SDP, VPRN service, or PW template must be performed on all nodes for the service.

The following CLI syntax changes the key group on an SDP. The syntax for a VPRN service or PW template is similar.

Note: For PW template changes, the following tools command must be executed after the encryption-keygroup changes are made:

tools>perform>service>eval-pw-template>allow-service-impact

In the example below, the inbound and outbound key groups are changed from key group 4 to key group 6.

config>service# sdp sdp-id 
        — no encryption-keygroup direction {inbound|outbound} 
config>service# sdp 61
    config>service>sdp# no encryption-keygroup direction inbound
    config>service>sdp# encryption-keygroup 6 direction outbound
    config>service>sdp# encryption-keygroup 6 direction inbound

The following example shows that the key group configuration has been changed for the SDP or the VPRN service.

domain1>config>service# info 
----------------------------------------------
...
        sdp 61 create
            shutdown
            far-end 10.10.10.10
            exit
            encryption-keygroup 6 direction inbound
            encryption-keygroup 6 direction outbound
        exit
...
----------------------------------------------
domain1>config>service# info 

Deleting a key group from an NGE node

To delete a key group from an NGE node, the key group must be removed (unbound) from all SDPs, VPRN services, PW templates, and router interfaces that use it.

Note: When deleting a key group from a PW template, the following tools command must be executed after the encryption-keygroup changes are made:

tools>perform>service>eval-pw-template>allow-service-impact

To locate the key group bindings, use the CLI command show>group-encryption> encryption-keygroup keygroup-id.

Use the following CLI syntax to delete a key group:

config# group-encryption 
        — no encryption-keygroup keygroup-id
config>grp-encryp# no encryption-keygroup 8