Macsec not working after changing something on source interface

aha · March 28, 2021, 6:21pm

Hello,

sometimes I had to use productive switches for connecting my test-setup and I do not want that my test-traffic (also bgp, ospf, etc.) can be seen on productive netmon.
So I’am encrypting that kind of traffic with macsec.

With vyos-1.4-rolling-202103251004-amd64 I noticed the following bug (?):
Everything was working fine after applying that sample config:

macsec macsec0 {
address 10.0.0.1/24
security {
cipher gcm-aes-128
encrypt
mka {
cak key
ckn key
}
replay-window 1000
}
source-interface eth1
}

Ping on macsec interfaces between two hosts (with same key) is working.
BUT:
After I changed something on eth1 (like the ip address) macsec does not work anymore.

vyos@vyos1# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.09 ms
— 10.0.0.2 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.093/1.093/1.093/0.000 ms
vyos@vyos1# set interfaces ethernet eth1 address 10.0.254.5/24
vyos@vyos1# commit
vyos@vyos1# ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
— 10.0.0.2 ping statistics —
15 packets transmitted, 0 received, 100% packet loss, time 339ms

I had to reboot to get that working again.

Any ideas?
Andreas

Viacheslav · March 28, 2021, 6:25pm

Is it works if you delete macsec with commit and re-add configuration again?

aha · March 28, 2021, 7:32pm

Yes. It also helps to disable (!) the macsec interface

vyos@vyos1# ping -c 1 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=1.31 ms

— 10.0.0.2 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.306/1.306/1.306/0.000 ms

Working

vyos@vyos1# set interfaces ethernet eth1 address 10.0.254.5/24
vyos@vyos1# commit
vyos@vyos1# ping -c 1 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
— 10.0.0.2 ping statistics —
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Not working

vyos@vyos1# set interfaces macsec macsec0 disable
vyos@vyos1# commit
vyos@vyos1# ping -c 1 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.435 ms

— 10.0.0.2 ping statistics —
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.435/0.435/0.435/0.000 ms

Working again - also in disabled state!

vyos@vyos1# sudo tcpdump -nvi macsec0
tcpdump: listening on macsec0, link-type EN10MB (Ethernet), capture size 262144 bytes
19:31:40.869132 IP (tos 0x0, ttl 64, id 17226, offset 0, flags [DF], proto ICMP (1), length 84)
10.0.0.2 > 10.0.0.1: ICMP echo request, id 3075, seq 1, length 64
19:31:40.869244 IP (tos 0x0, ttl 64, id 4549, offset 0, flags [none], proto ICMP (1), length 84)
10.0.0.1 > 10.0.0.2: ICMP echo reply, id 3075, seq 1, length 64

I hope that helps

aha · April 1, 2021, 9:48pm

Maybe it’s because wpa_supplicant isn’t running anymore after changing something on the source-interface?
I can’t even restart it because the folder /run/wpa_supplicant/ is missing then…

/sbin/wpa_supplicant -c/run/wpa_supplicant/eth0.conf -Dmacsec_linux -ieth0