Cellular Network Infrastructure » cni-legacy » OpenBSC

[[PageOutline]]

= Information on the WRTU54G UMA TA =

== Getting shell / console access ==

The easiest part is to flash a modified firmware image that removes the root password from the /etc/passwd file in the squashfs.

You can then access the serial console and log in as root without password.

== Changing the SEGW / GANC address ==

On the shell of the device, change to the /nv directory and edit the two lines in rc.conf for UMA_SGW and UMA_UNC to:

{{{

UMA_SGW="my.segw.host.name"

UMA_UNC="my.unc.host.name"

}}}

Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system.

== Enabling more logging ==

In /nv/rc.conf:

{{{

LOG_ENABLE="1"

UMALOG_ENABLE="on"

UMA_LOG_SIZE="1"

}}}

Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system.

== Adding a new CA Certificate ==

While modifying the firmware, add your new CA root certificate in DER format to /ramdisk_copy/etc/kineto/ and then add the filename

and path into a new line in /ramdisk_copy/etc/kineto/init_ike.cfg, like this:

{{{

ike ca /etc/kineto/my_new_ca.der

}}}

Furthermore, edit /etc/rc.d/init.d/umaset and /etc/rc.d/init.d/RJ11_recovery to each include a line like this:

{{{

echo "ike ca /etc/kineto/my_new_ca.der" >> $IKE_CONF

}}}

== Enabling telnet ==

Using the toolchain included in the Linksys WRTU54G GPL release, you can cross-compile utelnetd for a compatible uclibc:

{{{

./utelnetd-0.1.11 $ make CC=mipsel-linux-gcc

mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer   -c -o utelnetd.o utelnetd.c

mipsel-linux-gcc  -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer utelnetd.o  -o utelnetd

strip  --remove-section=.comment --remove-section=.note utelnetd

./utelnetd-0.1.11 $

}}}

You can then include this utelnetd binary into the squashfs image to /usr/sbin/utelnted.

Furthermore, you have to edit /etc/rc.d/rc.proprietary and change the line

{{{

[ "`uname -ar | grep diag`" ] && /usr/sbin/utelnetd&

}}}

into

{{{

usr/sbin/utelnetd&

}}}

to unconditionally start the telnet daemon at every boot.  Alternatively, you can set

{{{

hostname="diag"

}}}

in /nv/rc.conf.

= Setting up a SEGW =

The SEGW needs to

 * allocate a virtual IP to the remote end from a local pool

 * use EAP-SIM to authenticate the peer, using tuples (IMSI/RAND/SRES/Kc)

 * authenticate itself using a certificate that has been signed by the CA certificate installed on the WRT54U

 * provide at least one DNS server via IKEv2 attributes to the peer

== compiling strongswan ==

You can use strongswan-4.4.1 and use the following compile-time configure options:

{{{

--enable-eap-radius --enable-eap-aka --enable-sqlite --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-sql

}}}

== strongswan configuration files ==

=== /etc/strongswan.conf ===

{{{

charon {

        threads = 16

        plugins {

                attr {

                        dns = 213.95.46.69

                }

        }

}

libhydra {

  plugins {

    attr-sql {

      database = sqlite:///etc/ipsec.d/ipsec.db

    }

  }

}

}}}

=== /etc/ipsec.conf ===

{{{

config setup

        charonstart=yes

        plutostart=no

        charondebug="ike 2, knl 2, net 2, cfg 2"

conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=1

        keyexchange=ikev2

conn uma-segw

        left=real.public.ip.of.segw

        leftsubnet=10.0.0.0/8

        leftcert=segw_cert.pem

        leftauth=pubkey

        rightauth=eap-sim

        right=%any

        rightsourceip=%hostpool

        rightsendcert=never

        auto=add

}}}

=== /etc/ipsec.d/triplets.dat ===

Populate this with SIM authentication triplets like this (identity derived of IMSI, RAND, SRES, Kc):

{{{

1901700000000402@uma.mnc700.mcc901.3gppnetwork.org,00000000000000000000000000000000,11111111,2222222222222222

}}}

=== /etc/ipsec.secrets ===

{{{

: RSA /etc/ipsec.d/private/segw_key_raw.pem

}}}

=== /etc/ipsec.d/certs/segw_cert.pem ===

This is the PEM file of your certificate for the SEGW, using the CN of the FQDN.

=== /etc/ipsec.d/cacerts/my_ca.pem ===

This is the CA root certificate of the CA that has issued your segw_cert.pem

=== /etc/ipesc.d/private/segw_key_raw.pem ===

This is the '''raw''' RSA private key for your segw_cert.pem, and is '''not PKCS8'''.

==== make sure your private key is not PKCS8 ====

The default CA.pl script of openssl generates private keys in PKCS8 format, which is not supported

by charon of OpenSWAN.  you have to convert the PKCS8 into raw RSA files like this:

{{{

openssl rsa -in my_privatekey.pem -out my_privatekey_raw.pem

}}}

== SEGW tweaks for specific phones ==

=== Nokia C7 ===

==== IMSI to EAP-SIM identity ====

the derivation of the EAP-SIM identity from the IMSI works slightly different.  If the IMSI starts with 9017000 then nokia will generate

1901700000000716@uma.'''mnc070'''.mcc901.3gppnetwork.org as opposed to the 1901700000000426@uma.'''mnc700'''.mcc901.3gppnetwork.org in Blackberry

and the WRTU54G.

==== the identity at the IKE level is different ====

A blackberry connects:

{{{looking for peer configs matching 213.95.46.137[%any]...83.236.178.202[1901700000000426@uma.mnc700.mcc901.3gppnetwork.org]}}}

i.e. it uses identity 213.95.46.137[%any] for the segw (left) side.

A nokia C7 connects:

{{{looking for peer configs matching 213.95.46.137[213.95.46.137]...213.174.104.231[1901700000000716@uma.mnc070.mcc901.3gppnetwork.org]}}}

i.e. it uses the identity 213.95.46.137[213.95.46.137] for the segw (left) side.

A workaround is currently not known.  It might help to add a {{{leftid}}} to ipsec.conf

=== Nokia 6301 ===

This phone seems to have only been sold to Orange UK, and thus only a hard-coded UMA/GAN SEGW and UNC are configured in it.

No matter which sim is inserted, it will always do a DNS lookup for singlephone.orange.co.uk and then establish an IKE session to the

resulting IP.  Interestingly, it is first trying to resolve AAAA (IPv6), which fails and is followed by a fall-back to IPv4.

Using a dns proxy it would of course be easy to return our own SEGW IP address to that host name.  However, without any means of

installing our own SEGW certificate (or signing CA certificate), it would never authenticate.

Anyone knowing information how to alter the UMA/GAN profiles in Nokia phones: Please let us know!