Bug #5868
closedCreate a proof-of-concept to forward traffic from IPsec into a GTP tunnel
100%
Description
The UEs traffic (SIP/TCP/IP) arrives at the ePDG as IPsec traffic.
All the traffic from a single UE must be converted from IPsec encapsulation into GTP encapsulation.
As prototype a setup of a couple vms would be a good starting point
- UE (IPsec client)
- EPDG (IPsec server, forwards traffic to a GTP tunnel)
- PGW (GTP tunnel endpoint)
- IMS (http, icmp, .. endpoint in this example)
The interesting part to test. Can linux configured to decapsulate IPsec traffic and encapsulate it in GTP and vice versa?
Further we will have multiple APNs/PGW connections, meaning multiple GTP interfaces.
If we can't connect the IPsec tunnel with a GTP tunnel direct (which I doubt) it would mean we have a lot of `ip rule`s on the machine.
Maybe we would have only a single `ip rule` for every APN.
Or we could use eBPF or XDP for it and only have lookup tables maintained by the user space?
Related issues
Updated by lynxis 11 months ago
- Related to Feature #5861: extend charon with external authentication interface added
Updated by lynxis 11 months ago
- Status changed from In Progress to Closed
The prototype works with rules to drop all IPsec traffic into the gtp interface and vice versa. There might be a problem when traffic from the gtp comes and the tunnel already got detroyed, but I would move this problem to the later stage.
Further I've used EAP-AKA for the authentication (using hardcoded key/opc) and the ePDG authenticates itself via a x509 certificate to the user as recommended.
