Initial commit

This commit is contained in:
Oliver Smith 2022-09-06 12:58:45 +02:00
commit 4e59260c3f
14 changed files with 304 additions and 0 deletions

81
gtp-ns.sh Executable file
View File

@ -0,0 +1,81 @@
#!/bin/sh -e
# based on example from
# https://www.slideshare.net/kentaroebisawa/using-gtp-on-linux-with-libgtpnl
if [ "$(id -u)" != "0" ]; then
echo "ERROR: run me as root!"
exit 1
fi
set -x
start() {
set -e
modprobe gtp
echo -n 'module gtp +p' > /sys/kernel/debug/dynamic_debug/control
ip link add veth1 type veth peer name veth2
ip addr add 172.0.0.1/24 dev veth1
ip link set veth1 up
ip addr add 172.99.0.1/32 dev lo
gtp-link add gtp1 > /tmp/log-gtp-link1 2>&1 &
gtp-tunnel add gtp1 v1 200 100 172.99.0.2 172.0.0.2
ip route add 172.99.0.2/32 dev gtp1
ip netns add ns2
ip link set veth2 netns ns2
ip netns exec ns2 ip addr add 172.0.0.2/24 dev veth2
ip netns exec ns2 ip link set veth2 up
ip netns exec ns2 ip addr add 172.99.0.2/32 dev lo
ip netns exec ns2 ip link set lo up
ip netns exec ns2 gtp-link add gtp2 > /tmp/log-gtp-link2 2>&1 &
ip netns exec ns2 gtp-tunnel add gtp2 v1 100 200 172.99.0.1 172.0.0.1
ip netns exec ns2 ip route add 172.99.0.1/32 dev gtp2
gtp-tunnel list
ip netns exec ns2 gtp-tunnel list
}
stop() {
set +e
ip addr del 172.99.0.1/32 dev lo
ip link set veth1 down
ip addr del 172.0.0.1/24 dev veth1
ip link del veth1
killall gtp-tunnel
killall gtp-link
ip route del 172.99.0.2/32 dev gtp1
gtp-tunnel delete gtp1 v1 200
gtp-link del gtp1
ip netns del ns2
gtp-tunnel delete gtp2 v1 100
gtp-link del gtp2
modprobe -r gtp
}
stop
set +x
echo
echo "--- start ---"
echo
set -x
start
tail -F /tmp/log-gtp-link1 /tmp/log-gtp-link2
set +x
echo
echo "--- stop ---"
echo
set -x
stop

24
ipsec-gtp/README.md Normal file
View File

@ -0,0 +1,24 @@
# ipsec-gtpu proof of concept
WIP scripts/configs used while researching for osmo-epdg, see https://osmocom.org/projects/osmo-epdg/wiki/EPDG_implementation_plan
| | Server | Client |
|-------|----------|----------|
| lan | 10.0.0.1 | 10.0.0.2 |
| ipsec | 10.1.0.1 | 10.1.0.2 |
| gtp | 10.2.0.1 | 10.2.0.2 |
How to use:
* deploy configs (`/etc/swanctl/swanctl.conf`)
* server: copy server.network contents to /etc/systemd/network/
* client: copy client.network contents to /etc/systemd/network/
* client and server: start charon-systemd (debian: `systemctl start strongswan`)
* client: run `swanctl --initiate --child home`
* client: run `client.gtp.sh`
* server: run `server.gtp.sh`
The strongswan configs are somewhat based on
[this example](https://www.strongswan.org/testing/testresults/ikev2/rw-psk-ipv4/index.html)
and could be improved a lot, this is just a proof of concept.

44
ipsec-gtp/client.gtp.sh Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh -e
if [ "$(id -u)" != "0" ]; then
echo "ERROR: run me as root!"
exit 1
fi
set -x
start() {
set -e
ip addr add 10.2.0.2/32 dev lo
gtp-link add gtp1 &
sleep 0.5
gtp-tunnel add gtp1 v1 100 200 10.2.0.1 10.1.0.1
ip route add 10.2.0.1/32 dev gtp1
gtp-tunnel list
}
stop() {
set +e
ip addr del 10.2.0.2/32 dev lo
killall gtp-tunnel
killall gtp-link
ip route del 10.2.0.1/32 dev gtp1
gtp-tunnel delete gtp1 v1 100
gtp-link del gtp1
}
stop
set +x
echo
echo "--- start ---"
echo
set -x
start

View File

@ -0,0 +1,5 @@
[Match]
Name=enp1s0
[Network]
DHCP=yes

View File

@ -0,0 +1,5 @@
[Match]
Name=enp2s0
[Network]
Address=10.0.0.2/24

View File

@ -0,0 +1,3 @@
[NetDev]
Name=client0
Kind=tun

View File

@ -0,0 +1,6 @@
[Match]
Name=client0
[Network]
Address=10.1.0.2/24
ConfigureWithoutCarrier=yes

View File

@ -0,0 +1,36 @@
connections {
home {
local_addrs = 10.0.0.2
remote_addrs = 10.0.0.1
local {
auth = psk
id = 10.0.0.2
}
remote {
auth = pubkey
id = moon.strongswan.org
}
children {
home {
remote_ts = 10.1.0.0/16
updown = /usr/lib/ipsec/_updown iptables
# esp_proposals = aes128gcm128-x25519
esp_proposals = null-null
}
}
version = 2
# proposals = aes128-sha256-x25519
proposals = null-md5-prfmd5-null-ecp192
}
}
secrets {
ike-moon {
id = 10.0.0.2
secret = "Ar3etTnp01qlpOgb"
}
}

44
ipsec-gtp/server.gtp.sh Executable file
View File

@ -0,0 +1,44 @@
#!/bin/sh -e
if [ "$(id -u)" != "0" ]; then
echo "ERROR: run me as root!"
exit 1
fi
set -x
start() {
set -e
ip addr add 10.2.0.1/32 dev lo
gtp-link add gtp1 &
sleep 0.2
gtp-tunnel add gtp1 v1 200 100 10.2.0.2 10.1.0.2
ip route add 10.2.0.2/32 dev gtp1
gtp-tunnel list
}
stop() {
set +e
ip addr del 10.2.0.1/32 dev lo
killall gtp-tunnel
killall gtp-link
ip route del 10.2.0.2/32 dev gtp1
gtp-tunnel delete gtp1 v1 200
gtp-link del gtp1
}
stop
set +x
echo
echo "--- start ---"
echo
set -x
start

View File

@ -0,0 +1,5 @@
[Match]
Name=enp1s0
[Network]
DHCP=yes

View File

@ -0,0 +1,5 @@
[Match]
Name=enp2s0
[Network]
Address=10.0.0.1/24

View File

@ -0,0 +1,3 @@
[NetDev]
Name=server0
Kind=tun

View File

@ -0,0 +1,6 @@
[Match]
Name=server0
[Network]
Address=10.1.0.1/24
ConfigureWithoutCarrier=yes

View File

@ -0,0 +1,37 @@
connections {
rw {
local_addrs = 10.0.0.1
local {
auth = pubkey
certs = moonCert.pem
id = moon.strongswan.org
}
remote {
auth = psk
}
children {
net {
local_ts = 10.1.0.0/16
updown = /usr/lib/ipsec/_updown iptables
# esp_proposals = aes128gcm128-x25519
esp_proposals = null-null
}
}
version = 2
send_certreq = no
# proposals = aes128-sha256-x25519
proposals = null-md5-prfmd5-null-ecp192
}
}
secrets {
ike-carol {
id = 10.0.0.2
# id = carol@strongswan.org
secret = "Ar3etTnp01qlpOgb"
}
}