If i'm not mistaken, the same key is used to encrypt and decrypt. It's a preshared key meaning both sides have the same CKN and CAK and use them to both encrypt and decrypt.
------------------------------
DAVID CLARK
------------------------------
Original Message:
Sent: 10-05-2021 10:24
From: Unknown User
Subject: Question on MACSEC encryption and decryption
Thanks David.
But which of the two keys are used for encryption and which is used for decryption?
The output of "show security macsec connections" doesn't provide that information.
--Deepak
Juniper Business Use Only
Original Message:
Sent: 10/5/2021 10:09:00 AM
From: DAVID CLARK
Subject: RE: Question on MACSEC encryption and decryption
I haven't done it on switches but on MX's you can just use show security mka session and it will tell you what CAK and CKN(I believe) - if you are using mka. The CKN is the connectivity association key name and the CAK is the actual key that is associated with the name. The preshared key is made up of both the CKN and the CAK and must match on both sides.
------------------------------
DAVID CLARK
Original Message:
Sent: 10-04-2021 11:11
From: Unknown User
Subject: Question on MACSEC encryption and decryption
Hi.
I have two MACSEC-configured switches S1 and S2, with a link between them.
They are both configures with the same CKN and CAK keys.
Traffic is being forwarded from S1 to S2.
Which of the two keys is S1 using for encryption and which of the two keys is S2 using for decryption?
Thanks,
Deepak
Juniper Business Use Only