I managed to have MACsec working between two hosts by setting manually TXSC and RXSC and every thing worked like a charm.
After switching to MKA and wpa_supplicant when I do
root@Debian10-02:~# ip macsec show
10: macsec0: protect on validate strict sc off sa off encrypt on send_sci on end_station off scb off replay off
cipher suite: GCM-AES-128, using ICV length 16
TXSC: 0050000012020001 on SA 0
root@Debian10-02:~#
I only see the TXSC. My wpa_supplicant's version is
root@Debian10-02:~# wpa_supplicant -v
wpa_supplicant v2.8-devel
Copyright (c) 2003-2019, Jouni Malinen <j@w1.fi> and contributors
and the wpa_supplicant config file is the one I find in Sabrina Dubroca's article
ctrl_interface=/var/run/wpa_supplicant
eapol_version=3
ap_scan=0
fast_reauth=1
network={
key_mgmt=NONE
eapol_flags=0
macsec_policy=1
mka_cak=0123456789ABCDEF0123456789ABCDEF
mka_ckn=6162636465666768696A6B6C6D6E6F707172737475767778797A303132333435
}
and I launch it via
wpa_supplicant -i eth2 -Dmacsec_linux -c /etc/wpa_supplicant.conf
I see examples where the control interface is disabled but I'm not sure what's its real meaning. Also I make sure there is only one instance of the wap_supplicant (at the boot the system launched it own that I had to kill)
Would anyone have a hint/advice on how to troubleshoot? I guess a setup through wpa_supplicant should take care not only of the encryption part (TXSC) but also of the decryption one (RXSC).
Thanks,
Alex
