Customisation » History » Version 1
tsaitgaist, 10/07/2017 03:50 PM
add customisation and IPsec
| 1 | 1 | tsaitgaist | h1. Customisation |
|---|---|---|---|
| 2 | |||
| 3 | femtocell parts (see [[Partitions]]): |
||
| 4 | * the OS is in @kernel@ and @rootfs@ |
||
| 5 | * the radio applications are in @apps@. |
||
| 6 | * the operator network configuration is in @unidata@ |
||
| 7 | * the femtocell configuration is in @data@ |
||
| 8 | |||
| 9 | To access the operator network you have to configure the security gateway (SeGW) on the femtocell (it uses ipsec): |
||
| 10 | * the server certificate is in @cert/segw_ca.pem@ |
||
| 11 | * the client/femtocell certificate is in @cert/hnb.pem@ |
||
| 12 | * the hostname is either in the server certificate, the local configuration (see below), or hard coded in @/APP/bin/oamc_start@ (I'm not sure which one is used in which order) |
||
| 13 | |||
| 14 | The configuration is stored in SQLite database @/data/tr106.db@ and @/data/tr196.db@ (in table @Parameters@). |
||
| 15 | This should be settable remotely, once the femtocell connected to the operator's Home Management Server (HMS) behind the SeGW. |
||
| 16 | |||
| 17 | h1. IPsec |
||
| 18 | |||
| 19 | You need to configure ipsec (Strongswan) |
||
| 20 | |||
| 21 | * create own IPsec certificates (on local machine) |
||
| 22 | ** create CA |
||
| 23 | <pre> |
||
| 24 | ipsec pki --gen --type rsa --size 4096 --outform pem > /etc/ipsec.d/private/ca_key.pem |
||
| 25 | sudo ipsec pki --self --ca --lifetime 3650 --in /etc/ipsec.d/private/ca_key.pem --type rsa --dn "C = UK, O = Vodafone Group, CN = Vodafone" --outform pem > /etc/ipsec.d/certs/ca_cert.pem |
||
| 26 | </pre> |
||
| 27 | ** create server certificate |
||
| 28 | <pre> |
||
| 29 | ipsec pki --gen --type rsa --size 2048 --outform pem > server_key.pem |
||
| 30 | ipsec pki --pub --in server_key.pem --type rsa | ipsec pki --issue --lifetime 365 --cacert ca_cert.pem --cakey ca_key.pem --dn "C = UK, O = Vodafone Group, CN = Vodafone" --flag serverAuth --flag ikeIntermediate --outform pem > server_cert.pem |
||
| 31 | </pre> |
||
| 32 | ** copy ipsec certificate to femtocell |
||
| 33 | <pre> |
||
| 34 | scp -i /tmp/femto_id_rsa -o KexAlgorithms=diffie-hellman-group1-sha1 server_cert.pem root@192.168.23.120:/tmp/segw_ca.pem |
||
| 35 | </pre> |
||
| 36 | * on the femtocell (using original image, with root access): |
||
| 37 | ** stop ipsec (charon, from strongswan) before reconfiguring it |
||
| 38 | <pre> |
||
| 39 | killall starter |
||
| 40 | </pre> |
||
| 41 | ** copy watchdog trigger before unmounting the partition |
||
| 42 | <pre> |
||
| 43 | cp /APP/dev_only/wdretrigger.sh /tmp/wdretrigger.sh |
||
| 44 | </pre> |
||
| 45 | ** periodically kick dog |
||
| 46 | <pre> |
||
| 47 | /tmp/wdretrigger.sh & |
||
| 48 | sleep 10 |
||
| 49 | </pre> |
||
| 50 | ** stop monitor, monitor_start, oam_start, rnc_start |
||
| 51 | <pre> |
||
| 52 | /APP/dev_only/stop.sh |
||
| 53 | </pre> |
||
| 54 | ** prepare own APP folder |
||
| 55 | <pre> |
||
| 56 | umount /APP |
||
| 57 | mkdir /tmp/APP |
||
| 58 | mount /dev/mtdblock10 /tmp/APP |
||
| 59 | mount -t ramfs ramfs /APP |
||
| 60 | cp -r /tmp/APP/* /APP/ |
||
| 61 | rm /APP/cert |
||
| 62 | mkdir /APP/cert |
||
| 63 | cp /tmp/APP/cert/hnb.pem /APP/cert/ |
||
| 64 | cp /tmp/segw_ca.pem /APP/cert/ |
||
| 65 | </pre> |
||
| 66 | ** set date for certificate to be valid |
||
| 67 | <pre> |
||
| 68 | date -s 2017.07.25-15:00:00 |
||
| 69 | </pre> |
||
| 70 | |||
| 71 | You can see what is going on by reading the logs produces by these applications using @/sbin/logread -f@ |
