WRTU54G » History » Revision 7
Revision 6 (laforge, 02/19/2016 10:47 PM) → Revision 7/11 (laforge, 02/19/2016 10:47 PM)
[[PageOutline]]
= Information on the WRTU54G UMA TA =
== Getting shell / console access ==
The easiest part is to flash a modified firmware image that removes the root password from the /etc/passwd file in the squashfs.
You can then access the serial console and log in as root without password.
== Changing the SEGW / GANC address ==
On the shell of the device, change to the /nv directory and edit the two lines in rc.conf for UMA_SGW and UMA_UNC to:
{{{
UMA_SGW="my.segw.host.name"
UMA_UNC="my.unc.host.name"
}}}
Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system.
== Enabling more logging ==
In /nv/rc.conf:
{{{
LOG_ENABLE="1"
UMALOG_ENABLE="on"
UMA_LOG_SIZE="1"
}}}
Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system.
== Adding a new CA Certificate ==
While modifying the firmware, add your new CA root certificate in DER format to /ramdisk_copy/etc/kineto/ and then add the filename
and path into a new line in /ramdisk_copy/etc/kineto/init_ike.cfg, like this:
{{{
ike ca /etc/kineto/my_new_ca.der
}}}
Furthermore, edit /etc/rc.d/init.d/umaset and /etc/rc.d/init.d/RJ11_recovery to each include a line like this:
{{{
echo "ike ca /etc/kineto/my_new_ca.der" >> $IKE_CONF
}}}
== Enabling telnet ==
Using the toolchain included in the Linksys WRTU54G GPL release, you can cross-compile utelnetd for a compatible uclibc:
{{{
./utelnetd-0.1.11 $ make CC=mipsel-linux-gcc
mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer -c -o utelnetd.o utelnetd.c
mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer utelnetd.o -o utelnetd
strip --remove-section=.comment --remove-section=.note utelnetd
./utelnetd-0.1.11 $
}}}
You can then include this utelnetd binary into the squashfs image to /usr/sbin/utelnted.
Furthermore, you have to edit /etc/rc.d/rc.proprietary and change the line
{{{
[ "`uname -ar | grep diag`" ] && /usr/sbin/utelnetd&
}}}
into
{{{
usr/sbin/utelnetd&
}}}
to unconditionally start the telnet daemon at every boot. Alternatively, you can set
{{{
hostname="diag"
}}}
in /nv/rc.conf.
= Setting up a SEGW =
The SEGW needs to
* allocate a virtual IP to the remote end from a local pool
* use EAP-SIM to authenticate the peer, using tuples (IMSI/RAND/SRES/Kc)
* authenticate itself using a certificate that has been signed by the CA certificate installed on the WRT54U
* provide at least one DNS server via IKEv2 attributes to the peer
== compiling strongswan ==
You can use strongswan-4.4.1 and use the following compile-time configure options:
{{{
--enable-eap-radius --enable-eap-aka --enable-sqlite --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-sql
}}}
== strongswan configuration files ==
=== /etc/strongswan.conf ===
{{{
charon {
threads = 16
plugins {
attr {
dns = 213.95.46.69
}
}
}
libhydra {
plugins {
attr-sql {
database = sqlite:///etc/ipsec.d/ipsec.db
}
}
}
}}}
=== /etc/ipsec.conf ===
{{{
config setup
charonstart=yes
plutostart=no
charondebug="ike 2, knl 2, net 2, cfg 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn uma-segw
left=real.public.ip.of.segw
leftsubnet=10.0.0.0/8
leftcert=segw_cert.pem
leftauth=pubkey
rightauth=eap-sim
right=%any
rightsourceip=%hostpool
rightsendcert=never
auto=add
}}}
=== /etc/ipsec.d/triplets.dat ===
Populate this with SIM authentication triplets like this (identity derived of IMSI, RAND, SRES, Kc):
{{{
1901700000000402@uma.mnc700.mcc901.3gppnetwork.org,00000000000000000000000000000000,11111111,2222222222222222
}}}
=== /etc/ipsec.secrets ===
{{{
: RSA /etc/ipsec.d/private/segw_key_raw.pem
}}}
=== /etc/ipsec.d/certs/segw_cert.pem ===
This is the PEM file of your certificate for the SEGW, using the CN of the FQDN.
=== /etc/ipsec.d/cacerts/my_ca.pem ===
This is the CA root certificate of the CA that has issued your segw_cert.pem
=== /etc/ipesc.d/private/segw_key_raw.pem ===
This is the '''raw''' RSA private key for your segw_cert.pem, and is '''not PKCS8'''.
==== make sure your private key is not PKCS8 ==== ==
The default CA.pl script of opensl generates private keys in PKCS8 PKCS#8 format, which is not supported
by charon of OpenSWAN. you have to convert the PKCS8 PKCS#8 into raw RSA files like this:
{{{
openssl pkcs8 -nocrypt < my_privatekey.pem > my_privatekey_raw.pem
}}}
