Macsec not working with cipher gcm-aes-256 because cak can be only a 128-bit key in VyOS.
It is a CLI limitation.
vyos@vyos# set interfaces macsec macsec1 security mka cak ff9b7c30ddbc37f4c6bc9dc26ce65b42ff9b7c30ddbc37f4c6bc9dc26ce65b42 Invalid value Value validation failed Set failed [edit]
But if we use gcm-aes-256, we must use a 256-bit key.
Here is a result.
vyos@vyos:~$ show interfaces macsec 6: macsec0: protect on validate strict sc off sa off encrypt off send_sci on end_station off scb off replay off cipher suite: GCM-AES-256, using ICV length 16 TXSC: 0cb5072700000001 on SA 0 offload: off
I changed the limitations in the template. But it did not help.
vyos@vyos:~$ sudo cat /opt/vyatta/share/vyatta-cfg/templates/interfaces/macsec/node.tag/security/mka/cak/node.def type: txt help: Secure Connectivity Association Key val_help: key; 16-byte (128-bit) hex-string (32 hex-digits) syntax:expression: exec "${vyos_libexec_dir}/validate-value --regex \'[A-Fa-f0-9]{32}([A-Fa-f0-9]{32})?\' --value \'$VAR(@)\'"; "Invalid value"
Configuration
set interfaces macsec macsec0 address '192.168.2.1/24' set interfaces macsec macsec0 security cipher 'gcm-aes-256' set interfaces macsec macsec0 security encrypt set interfaces macsec macsec0 security mka cak 'bf49b645fd07dc03a9f3c3e7af46055fbf49b645fd07dc03a9f3c3e7af46055f' set interfaces macsec macsec0 security mka ckn '09924585a6f3010208cf5222ef24c821405b0e34f4b4f63b1f0ced474b9bb6e6' set interfaces macsec macsec0 source-interface 'eth0'
I think this is because the mka is not installed.