Project

General

Profile

Actions

Bug #5868

closed

Create a proof-of-concept to forward traffic from IPsec into a GTP tunnel

Added by lynxis about 1 year ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
01/21/2023
Due date:
% Done:

100%


Description

The UEs traffic (SIP/TCP/IP) arrives at the ePDG as IPsec traffic.
All the traffic from a single UE must be converted from IPsec encapsulation into GTP encapsulation.

As prototype a setup of a couple vms would be a good starting point

- UE (IPsec client)
- EPDG (IPsec server, forwards traffic to a GTP tunnel)
- PGW (GTP tunnel endpoint)
- IMS (http, icmp, .. endpoint in this example)

The interesting part to test. Can linux configured to decapsulate IPsec traffic and encapsulate it in GTP and vice versa?

Further we will have multiple APNs/PGW connections, meaning multiple GTP interfaces.
If we can't connect the IPsec tunnel with a GTP tunnel direct (which I doubt) it would mean we have a lot of `ip rule`s on the machine.

Maybe we would have only a single `ip rule` for every APN.
Or we could use eBPF or XDP for it and only have lookup tables maintained by the user space?


Related issues

Related to osmo-ePDG - VoWifi Evolved Packet Data Gateway - Feature #5861: extend charon with external authentication interfaceIn Progresslynxis01/17/2023

Actions
Actions #1

Updated by lynxis about 1 year ago

  • Status changed from New to In Progress
Actions #2

Updated by lynxis about 1 year ago

  • Related to Feature #5861: extend charon with external authentication interface added
Actions #3

Updated by lynxis about 1 year ago

  • Status changed from In Progress to Closed

The prototype works with rules to drop all IPsec traffic into the gtp interface and vice versa. There might be a problem when traffic from the gtp comes and the tunnel already got detroyed, but I would move this problem to the later stage.

Further I've used EAP-AKA for the authentication (using hardcoded key/opc) and the ePDG authenticates itself via a x509 certificate to the user as recommended.

Actions #4

Updated by lynxis about 1 year ago

  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)