WRTU54G » History » Version 11
ahuemer, 02/19/2016 10:48 PM
typo
1 | 11 | ahuemer | {{>toc}} |
---|---|---|---|
2 | 1 | laforge | |
3 | 11 | ahuemer | h1. Information on the WRTU54G UMA TA |
4 | 1 | laforge | |
5 | 11 | ahuemer | |
6 | |||
7 | h2. Getting shell / console access |
||
8 | |||
9 | |||
10 | 1 | laforge | The easiest part is to flash a modified firmware image that removes the root password from the /etc/passwd file in the squashfs. |
11 | |||
12 | You can then access the serial console and log in as root without password. |
||
13 | |||
14 | |||
15 | 11 | ahuemer | h2. Changing the SEGW / GANC address |
16 | |||
17 | |||
18 | 1 | laforge | On the shell of the device, change to the /nv directory and edit the two lines in rc.conf for UMA_SGW and UMA_UNC to: |
19 | 11 | ahuemer | <pre> |
20 | 1 | laforge | UMA_SGW="my.segw.host.name" |
21 | UMA_UNC="my.unc.host.name" |
||
22 | 11 | ahuemer | </pre> |
23 | 1 | laforge | |
24 | 11 | ahuemer | <pre> |
25 | 1 | laforge | |
26 | |||
27 | 11 | ahuemer | h2. Enabling more logging |
28 | |||
29 | |||
30 | 1 | laforge | In /nv/rc.conf: |
31 | 11 | ahuemer | <pre> |
32 | 1 | laforge | LOG_ENABLE="1" |
33 | UMALOG_ENABLE="on" |
||
34 | 6 | laforge | UMA_LOG_SIZE="1" |
35 | 11 | ahuemer | </pre> |
36 | 1 | laforge | |
37 | 11 | ahuemer | <pre> |
38 | 1 | laforge | |
39 | |||
40 | 11 | ahuemer | h2. Adding a new CA Certificate |
41 | |||
42 | |||
43 | 5 | laforge | While modifying the firmware, add your new CA root certificate in DER format to /ramdisk_copy/etc/kineto/ and then add the filename |
44 | and path into a new line in /ramdisk_copy/etc/kineto/init_ike.cfg, like this: |
||
45 | 11 | ahuemer | <pre> |
46 | 1 | laforge | ike ca /etc/kineto/my_new_ca.der |
47 | 11 | ahuemer | </pre> |
48 | 1 | laforge | |
49 | Furthermore, edit /etc/rc.d/init.d/umaset and /etc/rc.d/init.d/RJ11_recovery to each include a line like this: |
||
50 | 11 | ahuemer | <pre> |
51 | 1 | laforge | echo "ike ca /etc/kineto/my_new_ca.der" >> $IKE_CONF |
52 | 11 | ahuemer | </pre> |
53 | 1 | laforge | |
54 | |||
55 | 11 | ahuemer | h2. Enabling telnet |
56 | |||
57 | |||
58 | 1 | laforge | Using the toolchain included in the Linksys WRTU54G GPL release, you can cross-compile utelnetd for a compatible uclibc: |
59 | 11 | ahuemer | <pre> |
60 | 1 | laforge | ./utelnetd-0.1.11 $ make CC=mipsel-linux-gcc |
61 | 3 | laforge | mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer -c -o utelnetd.o utelnetd.c |
62 | 1 | laforge | mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer utelnetd.o -o utelnetd |
63 | strip --remove-section=.comment --remove-section=.note utelnetd |
||
64 | ./utelnetd-0.1.11 $ |
||
65 | 11 | ahuemer | </pre> |
66 | 1 | laforge | |
67 | You can then include this utelnetd binary into the squashfs image to /usr/sbin/utelnted. |
||
68 | |||
69 | Furthermore, you have to edit /etc/rc.d/rc.proprietary and change the line |
||
70 | 11 | ahuemer | <pre> |
71 | [ "@uname -ar | grep diag@" ] && /usr/sbin/utelnetd& |
||
72 | </pre> |
||
73 | 1 | laforge | into |
74 | 11 | ahuemer | <pre> |
75 | 3 | laforge | usr/sbin/utelnetd& |
76 | 11 | ahuemer | </pre> |
77 | 1 | laforge | to unconditionally start the telnet daemon at every boot. Alternatively, you can set |
78 | 11 | ahuemer | <pre> |
79 | 6 | laforge | hostname="diag" |
80 | 11 | ahuemer | </pre> |
81 | 6 | laforge | in /nv/rc.conf. |
82 | |||
83 | |||
84 | 11 | ahuemer | h1. Setting up a SEGW |
85 | |||
86 | |||
87 | 6 | laforge | The SEGW needs to |
88 | 11 | ahuemer | * allocate a virtual IP to the remote end from a local pool |
89 | * use EAP-SIM to authenticate the peer, using tuples (IMSI/RAND/SRES/Kc) |
||
90 | * authenticate itself using a certificate that has been signed by the CA certificate installed on the WRT54U |
||
91 | * provide at least one DNS server via IKEv2 attributes to the peer |
||
92 | 1 | laforge | |
93 | 6 | laforge | |
94 | 11 | ahuemer | h2. compiling strongswan |
95 | |||
96 | |||
97 | 7 | laforge | You can use strongswan-4.4.1 and use the following compile-time configure options: |
98 | 11 | ahuemer | <pre> |
99 | 7 | laforge | --enable-eap-radius --enable-eap-aka --enable-sqlite --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-sql |
100 | 11 | ahuemer | </pre> |
101 | 7 | laforge | |
102 | |||
103 | 11 | ahuemer | h2. strongswan configuration files |
104 | 7 | laforge | |
105 | 11 | ahuemer | |
106 | |||
107 | h3. /etc/strongswan.conf |
||
108 | |||
109 | |||
110 | <pre> |
||
111 | 7 | laforge | charon { |
112 | threads = 16 |
||
113 | plugins { |
||
114 | 1 | laforge | attr { |
115 | 7 | laforge | dns = 213.95.46.69 |
116 | 1 | laforge | } |
117 | } |
||
118 | } |
||
119 | |||
120 | libhydra { |
||
121 | plugins { |
||
122 | attr-sql { |
||
123 | database = sqlite:///etc/ipsec.d/ipsec.db |
||
124 | } |
||
125 | } |
||
126 | } |
||
127 | 11 | ahuemer | </pre> |
128 | 7 | laforge | |
129 | 11 | ahuemer | |
130 | h3. /etc/ipsec.conf |
||
131 | |||
132 | <pre> |
||
133 | 7 | laforge | config setup |
134 | 1 | laforge | charonstart=yes |
135 | plutostart=no |
||
136 | charondebug="ike 2, knl 2, net 2, cfg 2" |
||
137 | |||
138 | conn %default |
||
139 | ikelifetime=60m |
||
140 | keylife=20m |
||
141 | rekeymargin=3m |
||
142 | keyingtries=1 |
||
143 | keyexchange=ikev2 |
||
144 | |||
145 | conn uma-segw |
||
146 | left=real.public.ip.of.segw |
||
147 | leftsubnet=10.0.0.0/8 |
||
148 | leftcert=segw_cert.pem |
||
149 | leftauth=pubkey |
||
150 | rightauth=eap-sim |
||
151 | right=%any |
||
152 | 7 | laforge | rightsourceip=%hostpool |
153 | 1 | laforge | rightsendcert=never |
154 | auto=add |
||
155 | 11 | ahuemer | </pre> |
156 | 1 | laforge | |
157 | 7 | laforge | |
158 | 11 | ahuemer | h3. /etc/ipsec.d/triplets.dat |
159 | |||
160 | |||
161 | 1 | laforge | Populate this with SIM authentication triplets like this (identity derived of IMSI, RAND, SRES, Kc): |
162 | 11 | ahuemer | <pre> |
163 | 1 | laforge | 1901700000000402@uma.mnc700.mcc901.3gppnetwork.org,00000000000000000000000000000000,11111111,2222222222222222 |
164 | 11 | ahuemer | </pre> |
165 | 7 | laforge | |
166 | 11 | ahuemer | |
167 | h3. /etc/ipsec.secrets |
||
168 | |||
169 | <pre> |
||
170 | 7 | laforge | : RSA /etc/ipsec.d/private/segw_key_raw.pem |
171 | 11 | ahuemer | </pre> |
172 | 7 | laforge | |
173 | 11 | ahuemer | |
174 | h3. /etc/ipsec.d/certs/segw_cert.pem |
||
175 | |||
176 | 7 | laforge | This is the PEM file of your certificate for the SEGW, using the CN of the FQDN. |
177 | |||
178 | 11 | ahuemer | |
179 | h3. /etc/ipsec.d/cacerts/my_ca.pem |
||
180 | |||
181 | 7 | laforge | This is the CA root certificate of the CA that has issued your segw_cert.pem |
182 | |||
183 | |||
184 | 11 | ahuemer | h3. /etc/ipesc.d/private/segw_key_raw.pem |
185 | 7 | laforge | |
186 | 11 | ahuemer | This is the *raw* RSA private key for your segw_cert.pem, and is *not PKCS8*. |
187 | |||
188 | |||
189 | h4. make sure your private key is not PKCS8 |
||
190 | |||
191 | |||
192 | 7 | laforge | The default CA.pl script of openssl generates private keys in PKCS8 format, which is not supported |
193 | 11 | ahuemer | by charon of [[OpenSWAN]]. you have to convert the PKCS8 into raw RSA files like this: |
194 | <pre> |
||
195 | 7 | laforge | openssl rsa -in my_privatekey.pem -out my_privatekey_raw.pem |
196 | 11 | ahuemer | </pre> |
197 | 7 | laforge | |
198 | 4 | laforge | |
199 | 11 | ahuemer | h2. SEGW tweaks for specific phones |
200 | 4 | laforge | |
201 | 11 | ahuemer | |
202 | |||
203 | h3. Nokia C7 |
||
204 | |||
205 | |||
206 | |||
207 | h4. IMSI to EAP-SIM identity |
||
208 | |||
209 | 8 | laforge | the derivation of the EAP-SIM identity from the IMSI works slightly different. If the IMSI starts with 9017000 then nokia will generate |
210 | 11 | ahuemer | 1901700000000716@uma.*mnc070*.mcc901.3gppnetwork.org as opposed to the 1901700000000426@uma.*mnc700*.mcc901.3gppnetwork.org in Blackberry |
211 | 8 | laforge | and the WRTU54G. |
212 | |||
213 | 11 | ahuemer | |
214 | h4. the identity at the IKE level is different |
||
215 | |||
216 | 8 | laforge | A blackberry connects: |
217 | 11 | ahuemer | <pre> |
218 | 8 | laforge | i.e. it uses identity 213.95.46.137[%any] for the segw (left) side. |
219 | |||
220 | A nokia C7 connects: |
||
221 | 11 | ahuemer | <pre> |
222 | 8 | laforge | i.e. it uses the identity 213.95.46.137[213.95.46.137] for the segw (left) side. |
223 | |||
224 | 11 | ahuemer | <pre> |
225 | 8 | laforge | |
226 | 11 | ahuemer | |
227 | h3. Nokia 6301 |
||
228 | |||
229 | 8 | laforge | |
230 | This phone seems to have only been sold to Orange UK, and thus only a hard-coded UMA/GAN SEGW and UNC are configured in it. |
||
231 | |||
232 | No matter which sim is inserted, it will always do a DNS lookup for singlephone.orange.co.uk and then establish an IKE session to the |
||
233 | 1 | laforge | resulting IP. Interestingly, it is first trying to resolve AAAA (IPv6), which fails and is followed by a fall-back to IPv4. |
234 | |||
235 | Using a dns proxy it would of course be easy to return our own SEGW IP address to that host name. However, without any means of |
||
236 | installing our own SEGW certificate (or signing CA certificate), it would never authenticate. |
||
237 | |||
238 | Anyone knowing information how to alter the UMA/GAN profiles in Nokia phones: Please let us know! |