Anyone can help in this issue, I have setup the id with Subject id.
Still have this issue. Is anything else I am missing?
Thanks,
Rajeev
On Tue, Nov 14, 2017 at 12:44 PM, rajeev nohria <[email protected]
<mailto:[email protected]>> wrote:
Not sure what is wrong here, Can you let me know if I am missing
something here.
16[KNL] creating acquire job for policy
fc00:cada:c406:607::1001/128[tcp/43005] ===
fc00:cada:c406::200/128[tcp/8190] with reqid {2}
2017-11-13 15:58:56,001-HalTransport.py-94-INFO-Start a agent
transport interface, path = [/tmp/Hal/agent/client/1/push]
15[IKE] initiating IKE_SA rpdfc00:cada:c406::200[1] to
fc00:cada:c406::200
15[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
15[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (456 bytes)
10[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (453 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
10[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"
10[IKE] received 1 cert requests for an unknown ca
10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST
Device CA01, CN=TEST CableLabs Device Certification Authority"
10[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"
10[IKE] no private key found for 'C=US, O=ARRIS Group, Inc.,
OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20'
13[KNL] creating delete job for CHILD_SA
ESP/0x00000000/fc00:cada:c406::200
08[JOB] CHILD_SA ESP/0x00000000/fc00:cada:c406::200 not found for
delete
06[KNL] creating acquire job for policy
fc00:cada:c406:607::1001/128[tcp/39047] ===
fc00:cada:c406::200/128[tcp/8190] with reqid {2}
16[IKE] initiating IKE_SA rpdfc00:cada:c406::200[2] to
fc00:cada:c406::200
16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
16[NET] sending packet: from fc00:cada:c406:607::1001[500] to
fc00:cada:c406::200[500] (456 bytes)
11[NET] received packet: from fc00:cada:c406::200[500] to
fc00:cada:c406:607::1001[500] (453 bytes)
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No CERTREQ ]
11[IKE] received cert request for "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"
11[IKE] received 1 cert requests for an unknown ca
11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST
Device CA01, CN=TEST CableLabs Device Certification Authority"
11[IKE] sending cert request for "C=US, O=CableLabs, OU=TEST Root
CA01, CN=TEST CableLabs Root Certification Authority"
11[IKE] no private key found for 'C=US, O=ARRIS Group, Inc.,
OU=DCA Remote Device Certificate, CN=FF:FF:05:E6:E6:20
root@plnx_aarch64:~# ip -s xfrm state
src fc00:cada:c406:607::1001 dst fc00:cada:c406::200
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode transport
replay-window 0 seq 0x00000002 flag (0x00000000)
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src fc00:cada:c406:607::1001/128 dst
fc00:cada:c406::200/128 proto tcp sport 39047 dport 8190 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 165(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 16:01:42 use -
stats:
replay-wind
root@plnx_aarch64:~# ip -s xfrm policy
src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto
tcp uid 0
dir in action allow index 88 priority 234336 share any
flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask
ffffffff
src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto
tcp uid 0
dir out action allow index 81 priority 234336 share any
flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x00000000(0) reqid 2(0x00000002) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask
ffffffff
src fc00:cada:c406::200/128 dst fc00:cada:c406:607::1001/128 proto
l2tp uid 0
dir in action allow index 72 priority 234336 share any
flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask
ffffffff
src fc00:cada:c406:607::1001/128 dst fc00:cada:c406::200/128 proto
l2tp uid 0
dir out action allow index 65 priority 234336 share any
flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 15:58:55 use -
tmpl src :: dst ::
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode transport
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask
ffffffff
src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
uid 0
socket in action allow index 59 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
uid 0
socket out action allow index 52 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
uid 0
socket in action allow index 43 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
uid 0
socket out action allow index 36 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 27 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 20 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 11 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use 2017-11-13 16:04:42
src ::/0 dst ::/0 uid 0
socket out action allow index 4 priority 0 share any flag
(0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-11-13 18:46:13 use 2017-11-13 16:04:30
################# Certificates ######################
v --in *privKey.pem*
privkey: RSA 2048 bits
keyid: 85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
subjkey: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
root@plnx_aarch64:/var/priv# pki --print --type x509 --in *Dcert.pem*
opening 'Dcert.pem' failed: No such file or directory
building CRED_CERTIFICATE - X509 failed, tried 4 builders
parsing input failed
root@plnx_aarch64:/var/priv# pki --print --type x509 --in DCert.pem
subject: "C=US, O=ARRIS Group, Inc., OU=DCA Remote Device
Certificate, CN=FF:FF:05:E6:E6:20"
issuer: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST
CableLabs Device Certification Authority"
validity: not before Sep 14 16:13:24 2017, ok
not after Sep 14 16:13:24 2018, ok (expires in 305 days)
serial: 01:ff:ff:05:e6:e6:20
authkeyId:
f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
subjkeyId:
71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
pubkey: RSA 2048 bits
keyid: 85:d3:eb:51:9a:a8:1e:f6:ff:14:ee:cc:64:f6:2f:e0:32:99:1b:ce
subjkey: 71:83:c0:b4:3e:40:06:f1:e5:30:d2:14:2c:82:e7:76:13:37:f4:6f
root@plnx_aarch64:/var/priv#
root@plnx_aarch64:/var/priv#
root@plnx_aarch64:/var/priv#
root@plnx_aarch64:/var/priv# pki --print --type x509 --in *DMCert.pem*
subject: "C=US, O=CableLabs, OU=TEST Device CA01, CN=TEST
CableLabs Device Certification Authority"
issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST
CableLabs Root Certification Authority"
validity: not before Dec 09 23:08:49 2014, ok
not after Dec 09 23:08:49 2049, ok (expires in 11714 days)
serial: a0:16:bc:73:85:0e:65:37
altNames: CN=SYMC-3072-5
flags: CA CRLSign
pathlen: 0
authkeyId:
89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
subjkeyId:
f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
pubkey: RSA 3072 bits
keyid: b7:98:32:e4:ae:30:02:57:f7:ad:cb:2b:37:41:17:9c:1b:9d:79:28
subjkey: f6:dc:40:8a:89:b6:7b:7a:08:f6:78:b5:4a:28:7a:7f:57:9b:f9:9b
root@plnx_aarch64:/var/priv# ls
DCert.pem DMCertTemp.der privKey.pem
DCertTemp.der DRCert.pem privKeyTemp.der
DMCert.pem DRCertTemp.der privKeyTemp1.der
root@plnx_aarch64:/var/priv# pki --print --type x509 --in
*DRCert.pem*
subject: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST
CableLabs Root Certification Authority"
issuer: "C=US, O=CableLabs, OU=TEST Root CA01, CN=TEST
CableLabs Root Certification Authority"
validity: not before Nov 11 17:19:44 2014, ok
not after Nov 11 17:19:44 2064, ok (expires in 17165 days)
serial: b1:b0:d3:be:83:ee:bf:e3
altNames: CN=MPKI-4096-1-206
flags: CA CRLSign self-signed
subjkeyId:
89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
pubkey: RSA 4096 bits
keyid: bd:0e:4c:0f:21:cf:f0:49:af:19:34:3b:c2:64:c5:31:a1:2e:11:07
subjkey: 89:62:79:3d:b4:07:c9:f3:c6:97:59:dd:b6:dc:65:0b:33:54:ff:fb
root@plnx_aarch64:/var/priv#
