Commit Graph

56 Commits

Author SHA1 Message Date
Alexander Couzens 14ce58cb1e epdg: fix UE to UE traffic
UE to UE traffic when both UE are connected via the same ePDG
couldn't send traffic to each other because of xfrm policies.
The firewall on the ePDG was catching this traffic because it tried to
shortcut without passing the P-GW.

Use fwmark for both directions and mark them also strongswan which
will configure it to the xfrm policies.

Related: OS#6435
2024-07-04 14:00:53 +02:00
Alexander Couzens 392cc4cdc0 epdg: add comment 2024-06-24 18:02:16 +02:00
Alexander Couzens b8dbf5bc36 epdg: add comments 2024-06-24 18:02:16 +02:00
Alexander Couzens 42f7aff4a4 epdg: move xfrm ipsec traffic configuration into own directory
In preparation to also support xfrm interface configuration.
2024-06-24 18:02:16 +02:00
Alexander Couzens 3ad797e9ab epdg: set mark_out flag 2024-06-24 18:02:16 +02:00
Alexander Couzens 5dd9e42257 epdg: nftables: mark traffic from gtp towards ipsec via fwmark
Ensure also traffic from the gtp tunnel is only going towards ipsec.
2024-06-24 18:02:16 +02:00
Alexander Couzens c5b30a190b ims: scscf: enable and require authentication 2024-06-24 18:02:16 +02:00
Alexander Couzens ee596d3a28 ims: pcscf: allow to use TCP
Some phones will use UDP while others support TCP.
Enable TCP between UE and P-CSCF
2024-06-24 18:02:16 +02:00
Alexander Couzens 5e7eb4f22d ims: scscf: use ims_auth parameters from herlesupreeth/docker_open5gs 2024-06-24 18:02:16 +02:00
Alexander Couzens c6c45ddd36 ims: pcscf: set max ipsec connection to 50 2024-06-24 18:02:16 +02:00
Alexander Couzens 56de84abcf ims: icscf: don't modify remote user when routing
The icscf should just use the same remote user as it comes from the phone.
2024-06-24 18:02:16 +02:00
Alexander Couzens 7f5ce5fed4 ims: use consistent bind ips 2024-06-24 18:02:16 +02:00
Alexander Couzens b8ba627dca ims: use consistent hostname and diameter fqdn based on mcc/mnc 2024-06-24 18:02:16 +02:00
Alexander Couzens b7bc47cf72 ims: use mcc/mnc from vars 2024-06-24 18:02:16 +02:00
Alexander Couzens ee54e77af6 epc: use templates for hss/pcrf/smf freediameter configurations
Whole templates make sure everything is consistant instead of using
lineinfile which only supports small modifications.
2024-06-24 18:02:16 +02:00
Alexander Couzens 9fd971cc38 vars: add mcc/mnc 2024-06-24 18:02:16 +02:00
Alexander Couzens 72076e2a5e epdg: add support to define the diameter realm 2024-06-24 18:02:16 +02:00
Alexander Couzens 422ef32527 epdg: change template escaping osmo-epdg/local.config
The at symbol will overlap when adding diameter realm to it.
2024-06-24 18:02:16 +02:00
Alexander Couzens cdcdc62716 strongswan: clean up swanctl.config 2024-06-24 18:02:16 +02:00
Alexander Couzens 84a1b6545b epc: add IMS peers to hss diameter configuration 2024-06-24 18:02:16 +02:00
Alexander Couzens fae026a88f ims: kamailio.service: run it as root
the p_cscf requires to be ran as root because kamailio
needs to setup ESP tunnels via netlink.
2024-06-24 18:02:16 +02:00
Alexander Couzens a11e71ded8 common: install tcpdump 2024-06-24 18:02:16 +02:00
Alexander Couzens 3ca3ed26b5 ims: fix ethernet device for the new vm 2024-06-24 17:22:54 +02:00
Alexander Couzens 84b34a3c9b ims: fix hosts entries of the hss 2024-02-29 23:04:31 +01:00
Pau Espin 8fb15af2ba cosmetic: configure-open5gs.yml: Fix trailing whitespace 2024-02-26 17:36:21 +01:00
Pau Espin cff12a2166 epc: Configure P-CSCF IPv4 address in open5gs-smfd 2024-02-26 17:33:02 +01:00
Pau Espin fa5e147d4a Install osmo-epdg.service and start it at boot 2024-02-19 21:07:43 +01:00
Pau Espin 2a762b69ac Enable IP forwarding in epdg host 2024-02-19 20:20:29 +01:00
Pau Espin 7d62176b1f Set up nft ipsec rules 2024-02-19 20:10:59 +01:00
Pau Espin 4121ef6686 Enable and start strongswan.service 2024-02-19 20:04:22 +01:00
Pau Espin 9f2e23b889 ifudpwn_epdg.j2: Use ansible variable for gtp0 iface name 2024-02-19 18:47:53 +01:00
Alexander Couzens 73398e548a epc: open5gs: overwrite 2024-02-19 17:08:39 +01:00
Pau Espin 76c96ed6f1 Add epdg ifupdown specific traffic rules 2024-02-16 14:52:12 +01:00
Pau Espin b37def7d7c Update epdg local.config with gtp_u_kmod support 2024-02-16 03:11:49 +01:00
Alexander Couzens c0b80fc1df epdg: ipsec: set local_ts to 2024-02-15 19:33:28 +01:00
Alexander Couzens d5daf7d2f6 roles/epdg: fix installing libgtpnl-dev/libgtpnl-tools
Install it into epdg, not epc.
2024-02-15 17:44:52 +01:00
Alexander Couzens 0f09f96693 Revert "roles/epc: install libgtpnl-dev/libgtpnl-tools"
This reverts commit 239e55a7bf.
It should be on epdg, not epc.
2024-02-15 17:44:43 +01:00
Alexander Couzens 239e55a7bf roles/epc: install libgtpnl-dev/libgtpnl-tools 2024-02-15 17:34:37 +01:00
Alexander Couzens 13d8923c88 Add a minimal 2024-02-08 20:53:07 +01:00
Alexander Couzens df538dbce3 epdg: strongswan: eap-aka: don't request the identity
The identity is already known by IDr/IDi values.
Improve compatibility with certina clients
2024-02-08 20:46:47 +01:00
Alexander Couzens 74b9e9dfcc license under MIT 2024-02-08 20:39:37 +01:00
Alexander Couzens 5eef1f56a5 epdg: use correct ips in the configuration 2024-02-08 20:38:31 +01:00
Alexander Couzens a6a1d27dc2 epc: correct configure all open5gs components 2024-02-08 20:38:08 +01:00
Alexander Couzens 45a09d4488 epc: download & install open5gs-dbctl 2024-02-08 20:37:13 +01:00
Alexander Couzens f8f470a4d7 epdg: strongswan: set proposals to allow SWu-IKEv2 to connect 2024-02-08 20:36:32 +01:00
Alexander Couzens c614b99af6 epdg: add missing default epdg_s6b_bind_port to 3868 2024-02-08 17:58:32 +01:00
Alexander Couzens e7d2ba60ea roles/common: install tmux & screen 2024-02-08 17:56:03 +01:00
Alexander Couzens 4c98b913c2 add network configuration 2024-02-08 17:41:13 +01:00
Alexander Couzens c306d0002f add authorized_keys to the playbooks 2024-02-08 17:41:13 +01:00
Alexander Couzens 645b6b98c0 add role authorized_keys 2024-02-08 17:06:31 +01:00