Customisation » History » Version 1
tsaitgaist, 10/07/2017 03:50 PM
add customisation and IPsec
1 | 1 | tsaitgaist | h1. Customisation |
---|---|---|---|
2 | |||
3 | femtocell parts (see [[Partitions]]): |
||
4 | * the OS is in @kernel@ and @rootfs@ |
||
5 | * the radio applications are in @apps@. |
||
6 | * the operator network configuration is in @unidata@ |
||
7 | * the femtocell configuration is in @data@ |
||
8 | |||
9 | To access the operator network you have to configure the security gateway (SeGW) on the femtocell (it uses ipsec): |
||
10 | * the server certificate is in @cert/segw_ca.pem@ |
||
11 | * the client/femtocell certificate is in @cert/hnb.pem@ |
||
12 | * the hostname is either in the server certificate, the local configuration (see below), or hard coded in @/APP/bin/oamc_start@ (I'm not sure which one is used in which order) |
||
13 | |||
14 | The configuration is stored in SQLite database @/data/tr106.db@ and @/data/tr196.db@ (in table @Parameters@). |
||
15 | This should be settable remotely, once the femtocell connected to the operator's Home Management Server (HMS) behind the SeGW. |
||
16 | |||
17 | h1. IPsec |
||
18 | |||
19 | You need to configure ipsec (Strongswan) |
||
20 | |||
21 | * create own IPsec certificates (on local machine) |
||
22 | ** create CA |
||
23 | <pre> |
||
24 | ipsec pki --gen --type rsa --size 4096 --outform pem > /etc/ipsec.d/private/ca_key.pem |
||
25 | sudo ipsec pki --self --ca --lifetime 3650 --in /etc/ipsec.d/private/ca_key.pem --type rsa --dn "C = UK, O = Vodafone Group, CN = Vodafone" --outform pem > /etc/ipsec.d/certs/ca_cert.pem |
||
26 | </pre> |
||
27 | ** create server certificate |
||
28 | <pre> |
||
29 | ipsec pki --gen --type rsa --size 2048 --outform pem > server_key.pem |
||
30 | ipsec pki --pub --in server_key.pem --type rsa | ipsec pki --issue --lifetime 365 --cacert ca_cert.pem --cakey ca_key.pem --dn "C = UK, O = Vodafone Group, CN = Vodafone" --flag serverAuth --flag ikeIntermediate --outform pem > server_cert.pem |
||
31 | </pre> |
||
32 | ** copy ipsec certificate to femtocell |
||
33 | <pre> |
||
34 | scp -i /tmp/femto_id_rsa -o KexAlgorithms=diffie-hellman-group1-sha1 server_cert.pem root@192.168.23.120:/tmp/segw_ca.pem |
||
35 | </pre> |
||
36 | * on the femtocell (using original image, with root access): |
||
37 | ** stop ipsec (charon, from strongswan) before reconfiguring it |
||
38 | <pre> |
||
39 | killall starter |
||
40 | </pre> |
||
41 | ** copy watchdog trigger before unmounting the partition |
||
42 | <pre> |
||
43 | cp /APP/dev_only/wdretrigger.sh /tmp/wdretrigger.sh |
||
44 | </pre> |
||
45 | ** periodically kick dog |
||
46 | <pre> |
||
47 | /tmp/wdretrigger.sh & |
||
48 | sleep 10 |
||
49 | </pre> |
||
50 | ** stop monitor, monitor_start, oam_start, rnc_start |
||
51 | <pre> |
||
52 | /APP/dev_only/stop.sh |
||
53 | </pre> |
||
54 | ** prepare own APP folder |
||
55 | <pre> |
||
56 | umount /APP |
||
57 | mkdir /tmp/APP |
||
58 | mount /dev/mtdblock10 /tmp/APP |
||
59 | mount -t ramfs ramfs /APP |
||
60 | cp -r /tmp/APP/* /APP/ |
||
61 | rm /APP/cert |
||
62 | mkdir /APP/cert |
||
63 | cp /tmp/APP/cert/hnb.pem /APP/cert/ |
||
64 | cp /tmp/segw_ca.pem /APP/cert/ |
||
65 | </pre> |
||
66 | ** set date for certificate to be valid |
||
67 | <pre> |
||
68 | date -s 2017.07.25-15:00:00 |
||
69 | </pre> |
||
70 | |||
71 | You can see what is going on by reading the logs produces by these applications using @/sbin/logread -f@ |