WRTU54G » History » Version 9
laforge, 02/19/2016 10:47 PM
correct openssl command
1 | 1 | laforge | [[PageOutline]] |
---|---|---|---|
2 | = Information on the WRTU54G UMA TA = |
||
3 | |||
4 | == Getting shell / console access == |
||
5 | |||
6 | The easiest part is to flash a modified firmware image that removes the root password from the /etc/passwd file in the squashfs. |
||
7 | |||
8 | You can then access the serial console and log in as root without password. |
||
9 | |||
10 | == Changing the SEGW / GANC address == |
||
11 | |||
12 | On the shell of the device, change to the /nv directory and edit the two lines in rc.conf for UMA_SGW and UMA_UNC to: |
||
13 | {{{ |
||
14 | UMA_SGW="my.segw.host.name" |
||
15 | UMA_UNC="my.unc.host.name" |
||
16 | }}} |
||
17 | |||
18 | 6 | laforge | Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system. |
19 | 1 | laforge | |
20 | 6 | laforge | == Enabling more logging == |
21 | 1 | laforge | |
22 | 6 | laforge | In /nv/rc.conf: |
23 | {{{ |
||
24 | LOG_ENABLE="1" |
||
25 | UMALOG_ENABLE="on" |
||
26 | UMA_LOG_SIZE="1" |
||
27 | }}} |
||
28 | |||
29 | Then, use the {{{rawaccess -a rc.conf}}} command to store the changes to flash and reboot the system. |
||
30 | |||
31 | 2 | laforge | == Adding a new CA Certificate == |
32 | |||
33 | While modifying the firmware, add your new CA root certificate in DER format to /ramdisk_copy/etc/kineto/ and then add the filename |
||
34 | and path into a new line in /ramdisk_copy/etc/kineto/init_ike.cfg, like this: |
||
35 | {{{ |
||
36 | ike ca /etc/kineto/my_new_ca.der |
||
37 | 1 | laforge | }}} |
38 | 3 | laforge | |
39 | 5 | laforge | Furthermore, edit /etc/rc.d/init.d/umaset and /etc/rc.d/init.d/RJ11_recovery to each include a line like this: |
40 | {{{ |
||
41 | echo "ike ca /etc/kineto/my_new_ca.der" >> $IKE_CONF |
||
42 | }}} |
||
43 | 3 | laforge | |
44 | == Enabling telnet == |
||
45 | |||
46 | Using the toolchain included in the Linksys WRTU54G GPL release, you can cross-compile utelnetd for a compatible uclibc: |
||
47 | {{{ |
||
48 | ./utelnetd-0.1.11 $ make CC=mipsel-linux-gcc |
||
49 | mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer -c -o utelnetd.o utelnetd.c |
||
50 | mipsel-linux-gcc -I. -pipe -DSHELLPATH=\"/bin/login\" -Wall -fomit-frame-pointer utelnetd.o -o utelnetd |
||
51 | strip --remove-section=.comment --remove-section=.note utelnetd |
||
52 | ./utelnetd-0.1.11 $ |
||
53 | 1 | laforge | }}} |
54 | 3 | laforge | |
55 | 6 | laforge | You can then include this utelnetd binary into the squashfs image to /usr/sbin/utelnted. |
56 | 3 | laforge | |
57 | Furthermore, you have to edit /etc/rc.d/rc.proprietary and change the line |
||
58 | {{{ |
||
59 | [ "`uname -ar | grep diag`" ] && /usr/sbin/utelnetd& |
||
60 | }}} |
||
61 | into |
||
62 | 1 | laforge | {{{ |
63 | usr/sbin/utelnetd& |
||
64 | }}} |
||
65 | 6 | laforge | to unconditionally start the telnet daemon at every boot. Alternatively, you can set |
66 | {{{ |
||
67 | hostname="diag" |
||
68 | }}} |
||
69 | in /nv/rc.conf. |
||
70 | 1 | laforge | |
71 | = Setting up a SEGW = |
||
72 | 6 | laforge | |
73 | The SEGW needs to |
||
74 | * allocate a virtual IP to the remote end from a local pool |
||
75 | * use EAP-SIM to authenticate the peer, using tuples (IMSI/RAND/SRES/Kc) |
||
76 | * authenticate itself using a certificate that has been signed by the CA certificate installed on the WRT54U |
||
77 | * provide at least one DNS server via IKEv2 attributes to the peer |
||
78 | 4 | laforge | |
79 | 7 | laforge | == compiling strongswan == |
80 | 1 | laforge | |
81 | 7 | laforge | You can use strongswan-4.4.1 and use the following compile-time configure options: |
82 | {{{ |
||
83 | --enable-eap-radius --enable-eap-aka --enable-sqlite --enable-eap-sim --enable-eap-sim-file --enable-eap-simaka-sql |
||
84 | }}} |
||
85 | |||
86 | == strongswan configuration files == |
||
87 | |||
88 | === /etc/strongswan.conf === |
||
89 | |||
90 | {{{ |
||
91 | charon { |
||
92 | threads = 16 |
||
93 | plugins { |
||
94 | attr { |
||
95 | dns = 213.95.46.69 |
||
96 | } |
||
97 | } |
||
98 | } |
||
99 | |||
100 | libhydra { |
||
101 | plugins { |
||
102 | attr-sql { |
||
103 | database = sqlite:///etc/ipsec.d/ipsec.db |
||
104 | } |
||
105 | } |
||
106 | } |
||
107 | }}} |
||
108 | |||
109 | === /etc/ipsec.conf === |
||
110 | {{{ |
||
111 | config setup |
||
112 | charonstart=yes |
||
113 | plutostart=no |
||
114 | charondebug="ike 2, knl 2, net 2, cfg 2" |
||
115 | |||
116 | conn %default |
||
117 | ikelifetime=60m |
||
118 | keylife=20m |
||
119 | rekeymargin=3m |
||
120 | keyingtries=1 |
||
121 | keyexchange=ikev2 |
||
122 | |||
123 | conn uma-segw |
||
124 | left=real.public.ip.of.segw |
||
125 | leftsubnet=10.0.0.0/8 |
||
126 | leftcert=segw_cert.pem |
||
127 | leftauth=pubkey |
||
128 | rightauth=eap-sim |
||
129 | right=%any |
||
130 | rightsourceip=%hostpool |
||
131 | rightsendcert=never |
||
132 | auto=add |
||
133 | }}} |
||
134 | |||
135 | === /etc/ipsec.d/triplets.dat === |
||
136 | |||
137 | Populate this with SIM authentication triplets like this (identity derived of IMSI, RAND, SRES, Kc): |
||
138 | {{{ |
||
139 | 1901700000000402@uma.mnc700.mcc901.3gppnetwork.org,00000000000000000000000000000000,11111111,2222222222222222 |
||
140 | }}} |
||
141 | |||
142 | === /etc/ipsec.secrets === |
||
143 | {{{ |
||
144 | : RSA /etc/ipsec.d/private/segw_key_raw.pem |
||
145 | }}} |
||
146 | |||
147 | === /etc/ipsec.d/certs/segw_cert.pem === |
||
148 | This is the PEM file of your certificate for the SEGW, using the CN of the FQDN. |
||
149 | |||
150 | === /etc/ipsec.d/cacerts/my_ca.pem === |
||
151 | This is the CA root certificate of the CA that has issued your segw_cert.pem |
||
152 | |||
153 | === /etc/ipesc.d/private/segw_key_raw.pem === |
||
154 | This is the '''raw''' RSA private key for your segw_cert.pem, and is '''not PKCS8'''. |
||
155 | |||
156 | ==== make sure your private key is not PKCS8 ==== |
||
157 | |||
158 | The default CA.pl script of opensl generates private keys in PKCS8 format, which is not supported |
||
159 | by charon of OpenSWAN. you have to convert the PKCS8 into raw RSA files like this: |
||
160 | 4 | laforge | {{{ |
161 | 9 | laforge | openssl rsa -in my_privatekey.pem -out my_privatekey_raw.pem |
162 | 4 | laforge | }}} |
163 | 8 | laforge | |
164 | == SEGW tweaks for specific phones == |
||
165 | |||
166 | === Nokia C7 === |
||
167 | |||
168 | ==== IMSI to EAP-SIM identity ==== |
||
169 | the derivation of the EAP-SIM identity from the IMSI works slightly different. If the IMSI starts with 9017000 then nokia will generate |
||
170 | 1901700000000716@uma.'''mnc070'''.mcc901.3gppnetwork.org as opposed to the 1901700000000426@uma.'''mnc700'''.mcc901.3gppnetwork.org in Blackberry |
||
171 | and the WRTU54G. |
||
172 | |||
173 | ==== the identity at the IKE level is different ==== |
||
174 | A blackberry connects: |
||
175 | {{{looking for peer configs matching 213.95.46.137[%any]...83.236.178.202[1901700000000426@uma.mnc700.mcc901.3gppnetwork.org]}}} |
||
176 | i.e. it uses identity 213.95.46.137[%any] for the segw (left) side. |
||
177 | |||
178 | A nokia C7 connects: |
||
179 | {{{looking for peer configs matching 213.95.46.137[213.95.46.137]...213.174.104.231[1901700000000716@uma.mnc070.mcc901.3gppnetwork.org]}}} |
||
180 | i.e. it uses the identity 213.95.46.137[213.95.46.137] for the segw (left) side. |
||
181 | |||
182 | A workaround is currently not known. It might help to add a {{{leftid}}} to ipsec.conf |
||
183 | |||
184 | === Nokia 6301 === |
||
185 | |||
186 | This phone seems to have only been sold to Orange UK, and thus only a hard-coded UMA/GAN SEGW and UNC are configured in it. |
||
187 | |||
188 | No matter which sim is inserted, it will always do a DNS lookup for singlephone.orange.co.uk and then establish an IKE session to the |
||
189 | resulting IP. Interestingly, it is first trying to resolve AAAA (IPv6), which fails and is followed by a fall-back to IPv4. |
||
190 | |||
191 | Using a dns proxy it would of course be easy to return our own SEGW IP address to that host name. However, without any means of |
||
192 | installing our own SEGW certificate (or signing CA certificate), it would never authenticate. |
||
193 | |||
194 | Anyone knowing information how to alter the UMA/GAN profiles in Nokia phones: Please let us know! |