Bug #6114
closedconnect a real phone to the epdg to test strongswan ipsec configuration
100%
Description
- Provision a simcard using a phone which supports VoiceOverWifi. (there might be allow list for voice over wifi)
- Overwrite the DNS to route traffic to the strongswan
- See how far the traffic flows (no real SIP server at this point).
Updated by lynxis 6 months ago
- Assignee set to lynxis
used mcc/mnc: 901/70.
My Pixel 6 (android 14, samsung baseband) with the current graphene os version direct connects to the epdg
epdg.epc.mnc<MNC>.mcc<MCC>.pub.3gppnetwork.org and also opens a IPsec tunnel.
My Pixel 3a (android 12, qualcomm baseband) does the dns request, but later don't try to connect to it.
I've tried to set the carrier permission on both phones using a carrier permissions app (with correct signature). My phones don't have a mobile network to connect.
Trying to look into the log by:
`adb logcat -b radio` didn't helped much further.
# pixel3a # adb logcat -b radion | grep -i -E '(WFC|wifi)' 11-23 19:10:16.505 21331 21331 D Phone : isWifiCallingEnabled =false 11-23 19:10:16.505 21331 21331 D CSST : isPhoneRegisteredForWifiCalling: false 11-23 19:10:16.505 21331 21331 D Phone : isWifiCallingEnabled =false 11-23 19:10:17.216 2381 2381 E GRIL-WifiExt: unknown wifi status code: 4 11-23 19:10:29.002 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2 11-23 19:10:29.005 21331 21461 D ImsManagerIM [0]: getWfcMode (roaming) - setting=0 11-23 19:10:30.093 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2 11-23 19:10:30.098 21331 21461 D ImsManagerIM [0]: updateWfcFeatureAndProvisionedValues: available = true, enabled = false, mode = 2, provisioned = true, roaming = false, isFeatureOn = false 11-23 19:10:30.140 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2 11-23 19:10:30.143 21331 21461 D ImsManagerIM [0]: getWfcMode (roaming) - setting=0 11-23 19:10:31.018 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2 11-23 19:10:31.022 21331 21461 D ImsManagerIM [0]: updateWfcFeatureAndProvisionedValues: available = true, enabled = true, mode = 2, provisioned = true, roaming = false, isFeatureOn = true 11-23 19:10:31.030 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2 11-23 19:10:31.032 21331 21461 D ImsManagerIM [0]: getWfcMode (roaming) - setting=0 11-23 19:10:31.059 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2 11-23 19:10:31.060 21331 21461 D ImsManagerIM [0]: getWfcMode (roaming) - setting=0 11-23 19:10:33.197 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2 11-23 19:10:34.556 21331 21461 D ImsManagerIM [0]: getWfcMode - setting=2 11-23 19:10:34.557 21331 21461 D ImsManagerIM [0]: setWfcMode(i,b) - setting=0 11-23 19:10:41.203 21331 21331 D Phone : isWifiCallingEnabled =false 11-23 19:10:41.203 21331 21331 D CSST : isPhoneRegisteredForWifiCalling: false 11-23 19:10:41.203 21331 21331 D Phone : isWifiCallingEnabled =false
Updated by lynxis 5 months ago
- % Done changed from 0 to 60
First the ipsec/strongswan must be trusted by the phone.
We have two possibilities:
- eap_only / mutual auth
- auth by tls/certificate
To trust the certificate, the phone must have the CA in its trust anchor. I don't know if this is possible with my test phone.
strongswan always send its own certificate, because it was configured to auth itself using the cert.
By removing the certificate from the local auth, I've managed to get the "EAP_ONLY" working.
The pixel is able to setup an ipsec tunnel. However since I neither offer DNS nor P-CSCF, the phones seems unhappy with the ipsec tunnel and closes it.
The phone also might discard the tunnel because it doesn't offer a ChildSA with a 0.0.0.0/0 route.
Next step would be sending DNS and P-CSCF as configuration option.
Updated by laforge 5 months ago
On Fri, Dec 08, 2023 at 02:26:29AM +0000, lynxis wrote:
To trust the certificate, the phone must have the CA in its trust anchor. I don't know if this is possible with my test phone.
the question is whether there's a separate certificate store for the IMS IPsec or not. If not, then we should just be able to generate a Let's Encrypt certificate matching the DNS hostname, right? Or does the cert need some additional voodoo in it?
Updated by lynxis 5 months ago
laforge wrote in #note-6:
On Fri, Dec 08, 2023 at 02:26:29AM +0000, lynxis wrote:
To trust the certificate, the phone must have the CA in its trust anchor. I don't know if this is possible with my test phone.
the question is whether there's a separate certificate store for the IMS IPsec or not. If not, then we should just be able to generate a Let's Encrypt certificate matching the DNS hostname, right? Or does the cert need some additional voodoo in it?
The current hostname is epdg.epc.mnc070.mcc901.pub.3gppnetwork.org.
I don't know if/how it is possible to change the ePDG DNS. If it is possible to change it, Let's Encrypt should good enough.
Adding Certs to the store might also work.
There isn't additional vpodoo in the cert..
Since the phone accepts EAP_ONLY/eap-aka as authentication of the ePDG, I would skip investigating the certificate for now.
Updated by laforge 5 months ago
On Fri, Dec 08, 2023 at 09:33:19AM +0000, lynxis wrote:
the question is whether there's a separate certificate store for the IMS IPsec or not. If not, then we should just be able to generate a Let's Encrypt certificate matching the DNS hostname, right? Or does the cert need some additional voodoo in it?
The current hostname is epdg.epc.mnc070.mcc901.pub.3gppnetwork.org.
ah, my bad. of course that's difficult :)
I don't know if/how it is possible to change the ePDG DNS. If it is possible to change it, Let's Encrypt should good enough.
There are related files on the sim card which allow you to override the ePDG hostname. EF.ePDGId and
EF.ePDGSelection. pysim provides support for encoding/decoding EF.ePDGId. Of course we don't know if your UE
software actually checks that file.
Since the phone accepts EAP_ONLY/eap-aka as authentication of the ePDG, I would skip investigating the certificate for now.
fine.
Updated by lynxis 3 months ago
I'm currently testing with a Pixel 7a / samsung baseband / shannon baseband.
(Not yet 100%, but it is a little bit weird, it looks after boot I need to insert a simcard with a matching profile and then change it to custom simcard).
We have now a trace with IKEv2 decryption keys.
So our current strongswan configuration works.
To summarize pixel 7a Configuration requests:
- INTERNAL_IPV4_ADDRESS
- INTERNAL_IPV4_NETMASK
- INTERNAL_IPV4_DNS
- P_CSCF_IP4_ADDRESS
- APPLICATION_VERSION
Further it adds a Notify
- EAP_ONLY_AUTH
- MOBIKE
- INITIAL_CONTACT
- P-N1_MODE_CAPABILITY