Project

General

Profile

Actions

Bug #6114

closed

connect a real phone to the epdg to test strongswan ipsec configuration

Added by lynxis 7 months ago. Updated 5 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
-
Start date:
07/24/2023
Due date:
% Done:

100%


Description

- Provision a simcard using a phone which supports VoiceOverWifi. (there might be allow list for voice over wifi)
- Overwrite the DNS to route traffic to the strongswan
- See how far the traffic flows (no real SIP server at this point).

Actions #1

Updated by lynxis 3 months ago

  • Status changed from New to In Progress
Actions #2

Updated by lynxis 3 months ago

  • Assignee set to lynxis

used mcc/mnc: 901/70.

My Pixel 6 (android 14, samsung baseband) with the current graphene os version direct connects to the epdg
epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org and also opens a IPsec tunnel.

My Pixel 3a (android 12, qualcomm baseband) does the dns request, but later don't try to connect to it.

I've tried to set the carrier permission on both phones using a carrier permissions app (with correct signature). My phones don't have a mobile network to connect.

Trying to look into the log by:
`adb logcat -b radio` didn't helped much further.

# pixel3a
# adb logcat -b radion | grep -i -E '(WFC|wifi)'
11-23 19:10:16.505 21331 21331 D Phone   : isWifiCallingEnabled =false
11-23 19:10:16.505 21331 21331 D CSST    : isPhoneRegisteredForWifiCalling: false
11-23 19:10:16.505 21331 21331 D Phone   : isWifiCallingEnabled =false
11-23 19:10:17.216  2381  2381 E GRIL-WifiExt: unknown wifi status code: 4
11-23 19:10:29.002 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2
11-23 19:10:29.005 21331 21461 D ImsManagerIM [0]: getWfcMode (roaming) - setting=0
11-23 19:10:30.093 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2
11-23 19:10:30.098 21331 21461 D ImsManagerIM [0]: updateWfcFeatureAndProvisionedValues: available = true, enabled = false, mode = 2, provisioned = true, roaming = false, isFeatureOn = false
11-23 19:10:30.140 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2
11-23 19:10:30.143 21331 21461 D ImsManagerIM [0]: getWfcMode (roaming) - setting=0
11-23 19:10:31.018 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2
11-23 19:10:31.022 21331 21461 D ImsManagerIM [0]: updateWfcFeatureAndProvisionedValues: available = true, enabled = true, mode = 2, provisioned = true, roaming = false, isFeatureOn = true
11-23 19:10:31.030 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2
11-23 19:10:31.032 21331 21461 D ImsManagerIM [0]: getWfcMode (roaming) - setting=0
11-23 19:10:31.059 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2
11-23 19:10:31.060 21331 21461 D ImsManagerIM [0]: getWfcMode (roaming) - setting=0
11-23 19:10:33.197 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2
11-23 19:10:34.556 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2
11-23 19:10:34.557 21331 21461 D ImsManagerIM [0]: setWfcMode(i,b) - setting=0
11-23 19:10:41.203 21331 21331 D Phone   : isWifiCallingEnabled =false
11-23 19:10:41.203 21331 21331 D CSST    : isPhoneRegisteredForWifiCalling: false
11-23 19:10:41.203 21331 21331 D Phone   : isWifiCallingEnabled =false
Actions #3

Updated by lynxis 3 months ago

I've used a black sysmocom card SJA2 and changed the android fingerprint to match the application.

Actions #4

Updated by laforge 3 months ago

according to a recent phone conversatoin with an unnamed contact of mine, many commercial
phones actually attempt to open a connection to the ePDG over the default bearer of the 4G/5G network

Not sure if that helps here, just found it curious enough to mention it.

Actions #5

Updated by lynxis 3 months ago

  • % Done changed from 0 to 60

First the ipsec/strongswan must be trusted by the phone.
We have two possibilities:
- eap_only / mutual auth
- auth by tls/certificate

To trust the certificate, the phone must have the CA in its trust anchor. I don't know if this is possible with my test phone.

strongswan always send its own certificate, because it was configured to auth itself using the cert.
By removing the certificate from the local auth, I've managed to get the "EAP_ONLY" working.

The pixel is able to setup an ipsec tunnel. However since I neither offer DNS nor P-CSCF, the phones seems unhappy with the ipsec tunnel and closes it.
The phone also might discard the tunnel because it doesn't offer a ChildSA with a 0.0.0.0/0 route.

Next step would be sending DNS and P-CSCF as configuration option.

Actions #6

Updated by laforge 3 months ago

On Fri, Dec 08, 2023 at 02:26:29AM +0000, lynxis wrote:

To trust the certificate, the phone must have the CA in its trust anchor. I don't know if this is possible with my test phone.

the question is whether there's a separate certificate store for the IMS IPsec or not. If not, then we should just be able to generate a Let's Encrypt certificate matching the DNS hostname, right? Or does the cert need some additional voodoo in it?

Actions #7

Updated by lynxis 3 months ago

laforge wrote in #note-6:

On Fri, Dec 08, 2023 at 02:26:29AM +0000, lynxis wrote:

To trust the certificate, the phone must have the CA in its trust anchor. I don't know if this is possible with my test phone.

the question is whether there's a separate certificate store for the IMS IPsec or not. If not, then we should just be able to generate a Let's Encrypt certificate matching the DNS hostname, right? Or does the cert need some additional voodoo in it?

The current hostname is epdg.epc.mnc070.mcc901.pub.3gppnetwork.org.
I don't know if/how it is possible to change the ePDG DNS. If it is possible to change it, Let's Encrypt should good enough.
Adding Certs to the store might also work.
There isn't additional vpodoo in the cert..

Since the phone accepts EAP_ONLY/eap-aka as authentication of the ePDG, I would skip investigating the certificate for now.

Actions #8

Updated by laforge 3 months ago

On Fri, Dec 08, 2023 at 09:33:19AM +0000, lynxis wrote:

the question is whether there's a separate certificate store for the IMS IPsec or not. If not, then we should just be able to generate a Let's Encrypt certificate matching the DNS hostname, right? Or does the cert need some additional voodoo in it?

The current hostname is epdg.epc.mnc070.mcc901.pub.3gppnetwork.org.

ah, my bad. of course that's difficult :)

I don't know if/how it is possible to change the ePDG DNS. If it is possible to change it, Let's Encrypt should good enough.

There are related files on the sim card which allow you to override the ePDG hostname. EF.ePDGId and
EF.ePDGSelection. pysim provides support for encoding/decoding EF.ePDGId. Of course we don't know if your UE
software actually checks that file.

Since the phone accepts EAP_ONLY/eap-aka as authentication of the ePDG, I would skip investigating the certificate for now.

fine.

Actions #9

Updated by lynxis 5 days ago

I'm currently testing with a Pixel 7a / samsung baseband / shannon baseband.
(Not yet 100%, but it is a little bit weird, it looks after boot I need to insert a simcard with a matching profile and then change it to custom simcard).

We have now a trace with IKEv2 decryption keys.
So our current strongswan configuration works.

To summarize pixel 7a Configuration requests:
- INTERNAL_IPV4_ADDRESS
- INTERNAL_IPV4_NETMASK
- INTERNAL_IPV4_DNS
- P_CSCF_IP4_ADDRESS
- APPLICATION_VERSION

Further it adds a Notify
- EAP_ONLY_AUTH
- MOBIKE
- INITIAL_CONTACT
- P-N1_MODE_CAPABILITY

Actions #10

Updated by lynxis 5 days ago

  • Status changed from In Progress to Closed
  • % Done changed from 60 to 100
Actions #11

Updated by lynxis 5 days ago

The phone is also doing a SIP Register against the P-CSCF. So far not yet a success, but that is a problem on the IMS network side.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)