Unable to convert ipsec addr4 [] #35
Comments
|
in the pcap capture it's replied to UE "503 Service Unavailable (Create ipsec failed)" |
|
I believe the IMS REGISTER is sent using IPv6 address rather than IPv4. And, I dont think IPv6 is supported. |
|
I disabled IPv6 on the OS system and tried again but no success still giving me that 503 Create ipsec failed Kamailio logs: But I changed authentication on HSS to Digest-AKAv1(3GPP) and Digest-MD5(FOKUS) in the PCAP it gives me below and just stuck on it: I tried again android and nokia. |
This will not help. Rather when the UE attaches the network you allocate only IPv4 IP. If you are using open5gs you can set the IP type as IPv4 in the WebUI. This way you probably wont see this issue. |
|
On Wed, Nov 29, 2023 at 02:12:50AM -0800, mrgogoa4 wrote:
Nov 29 17:24:53 ims kamailio[421553]: #1[0;39;49m#001[0;31;49m104(421553) ERROR: ims_ipsec_pcscf [ipsec.c:582]: clean_sa(): Error sending delete SAs command via netlink socket: No data available
are you sure your kernel supports kernel IPsec (ESP) an the associated netlink interface? You could try to
use a netlink monitor to see what's happening in detail. Something like `ip xfrm monitor` should dump you all kernel-ipsec related netlink messages.
--
- Harald Welte ***@***.***> https://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
(ETSI EN 300 175-7 Ch. A6)
|
|
A common configuration problem when IPsec doesn't work is to execute kamailio with non root permissions, so the IPsec SA establishment fail. |
|
I've tried rebuilding the deployment several times with no success. Tried it on Docker as well. I feel like I have no other choice. Are there any cases where IPsec won't work because of that? |
I dont think eNB supporting QoS or not has any effect on IPSec Can you describe your setup? which OS you are using? kernel version? are you using a virtualbox/VMWare etc |
|
I'm using the KVM virtualization on top of its Ubuntu 20.04 (Focal Fossa) as the first environment and another one is also running on the VM which is also Ubuntu 22.04 (Jammy Jellyfish) on the KVM virtualization as I'm using docker-compose to deploy IMS. But the docker image is also ubuntu:focal. Ubuntu 22 kernel: Linux imsdoc 5.15.0-78-generic #85-Ubuntu SMP Fri Jul 7 15:25:09 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux |
|
on the docker deployment I got below logs the IPsec is listening on the socket but on the Ubuntu 20 I got nothing there in the logs like this: pcscf | 0(39) INFO: ims_ipsec_pcscf [ims_ipsec_pcscf_mod.c:268]: mod_init(): Successfully bound to PCSCF Usrloc module |
|
The logs above with docker deployment looks good. You can ignore those ERRORS in the logs as they are just trying to clean you SAs when the list of SAs is empty (i.e. no UE using IPSec has connected yet) |
|
Yes, I got this and when I disabled the IPsec UE can registered on the IMS. I compared with that example of ipsec_reg and it's just stuck after 4 Challenging and there is nothing, Can you analysis my packet capture? 
I tried with one Nokia Model: TA-1272 and one android version 11. iPhone doesn't send the IPsec request I need to talk with Apple, right? |
|
Please attach the packet capture to analyse the issue.
Can you elaborate on what you mean by this? If you disable IPSec on P-CSCF that does not guarantee that UE wont use IPSec. If the UE has SIP header |
|
I mean I commented the #!define WITH_IPSEC to disable the IPsec feature of the IMS in pcscf.cfg configuration and tried to register with android and nokia is successful. I attached my pcap. |
|
I am not sure why, but ESP protocol is not supported on that host |
|
Sorry, I wrote the wrong information here. In my test environment, the primary physical server operating system is Centos 7 (Core). I will replace it with Ubuntu and try again and share the results. |
|
Now my test environment is Proxmox on dell physical server on top of it it's Ubuntu 22.04.3 LTS (Jammy Jellyfish) and I deployed IMS with docker compose. I tried to register android to my test IMS and now it's getting me below: 101(151) NOTICE: <script>: PCSCF: REGISTER sip:ims.mnc033.mcc428.3gppnetwork.org (sip:[email protected] (10.129.1.86:1024) to sip:[email protected], [email protected]) And pcap is looks like below: |
|
I enabled the debug mode and Now it looks like IPsec is working with android UE on this host: {"log":"\u001b[0;39;49m\u001b[0;39;49m\u001b[0;39;49m67(104) DEBUG: \u003ccore\u003e [core/sr_module.c:778]: init_mod_child(): idx 67 rank 67: ims_ipsec_pcscf [udp receiver child=2 sock=172.22.0.9:6107]\n","stream":"stderr","time":"2024-01-02T04:10:39.123378703Z"} |
|
Now everything looks good but it's stuck on after exchanged few ESP package with UE and cannot register with IMS Logs: PCAP: 
Can you give me some advice on it? @herlesupreeth |
|
Please post a pcap of the registration scenario |
|
This is my pcap of the registration. |
|
Now the IPsec netlink messages is below: root@1f68fbf31520:/# ip xfrm monitor src 10.129.1.92 dst 172.22.0.9 |
|
From what I see here in the pcap, it could be that kamailio at branch 5.3 has a bug in handling encrypted traffic which may have been resolved in upstream kamailio branch you could try the https://github.com/herlesupreeth/docker_open5gs/tree/test_upstream_kamailio branch and see if the registration works. That branch takes the latest upstream kamailio code |
|
Thank you for providing the new information. I tried to change those new changes on the Kamailio but it's like there is no modparam("ims_qos", "dialog_direction", RX_IMS_REG_DIALOG_DIRECTION) on the test upstream Kamailio, also other options not working as well. Are you sure those changes worked well? Also, I deployed the new Kamailio 5.7.2, but it's the same as the 5.3 version stuck on the ESP part during the registration process with IPsec. |
After switching to that branch you need to recompile kamailio base image as those modparams are only present in upstream kamailio repo. And, I have tested both registration and calling with COTS UE using IPSec |
|
I again compiled and deployed with all above you mentioned changes but still stuck on that IPsec part and still wondering why. My test environment is still the same as Proxmox on top of that Ubuntu 22 and docker. Dockerfile=> ubuntu:focal Ubuntu 22 Kernel: Linux bernetes 5.15.0-91-generic #101-Ubuntu SMP Tue Nov 14 13:30:08 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux Now kamailio version is below: with test_upstream root@7172f51ef75a:/# kamailio -v I got below error on pcscf: PCAP is same like before: Sorry for the trouble. |
|
If you are using the latest master branch from docker_open5gs repo (it uses upstream kamailio master branch), then you can add the below configuration to kamailio_pcscf.cfg file and re-deploy and give it a try
|
|
I have successfully registered IPsec using version 5.7.4 on ubuntu 22. But it still doesn't work with version 5.7.4 with docker compose on ubuntu 22, docker image is ubuntu:jammy. After 401 challenging 6 ESP packets are exchanged with UE and it's stuck with docker compose on ubuntu 22. Is there anything extra I need to do with Docker? |
|
Hi, I have tried the same procedure said in this mail chain but still facing issue. I have also used kamailio 5.7.4 version but didn't worked. I have downloaded the code, compile it and executed the binary with the configurtion files shared. But P-CSCF is not able to decode ESP messages. Please help me if i need to configure any thing else. Thanks, |
|
I'm also having this same problem. Ubuntu 22.04 Server with Kamailio 5.8.4 (stable) compiled from source. No strongswan, just what comes with Ubuntu base. After decoding the ESP packets in wireshark (I'm using a Samsung S24 UE) they are TCP SYN packets attempting to make a connection with Kamailio at port 5063 (set by modparam("ims_ipsec_pcscf", "ipsec_server_port", IPSEC_SERVER_PORT). There is no SYN ACK ever received and a bunch of TCP retransmissions. I can confirm there is indeed something listening on TCP port 5063 verified by command ss -a | grep 5063 so this looks like a possible decrypting problem. Using |
This turned out to be a problem with permissions/priviliges for user 'kamailio' (all kamailio process are run as 'kamailio'). After running command 'sudo setcap cap_net_admin+ep /usr/local/sbin/kamailio' this issue with IPSec was resolved. |
I'm using kamailio-ims 5.3 and when I tried to register with Android and Nokia phones it gave me this error also I used basic ipsec-tools, and after that, I changed it to strongswan but still no success. Would someone be able to help me with it?
kamailio IMS logs:
ims kamailio[23396]: #1[0;39;49m#001[0;31;49m22(23396) ERROR: ims_ipsec_pcscf [cmd.c:412]: create_ipsec_tunnel(): Unable to convert ipsec addr4 []
ims kamailio[23396]: #1[0;39;49m#001[0;32;49m22(23396) NOTICE: <script>: Security-Client=ipsec-3gpp;alg=hmac-md5-96;ealg=null;spi-c=1321;spi-s=1322;port-c=7089;port-s=7090,ipsec-3gpp;alg=hmac-md5-96;ealg=des-ede3-cbc;spi-c=1321;spi-s=1322;port-c=7089;port-s=7090,ipsec-3gpp;alg=hmac-md5-96;ealg=aes-cbc;spi-c=1321;spi-s=1322;port-c=7089;port-s=7090,ipsec-3gpp;alg=hmac-sha-1-96;ealg=null;spi-c=1321;spi-s=1322;port-c=7089;port-s=7090,ipsec-3gpp;alg=hmac-sha-1-96;ealg=des-ede3-cbc;spi-c=1321;spi-s=1322;port-c=7089;port-s=7090,ipsec-3gpp;alg=hmac-sha-1-96;ealg=aes-cbc;spi-c=1321;spi-s=1322;port-c=7089;port-s=7090
ims kamailio[23396]: #1[0;39;49m#001[0;31;49m22(23396) ERROR: ims_ipsec_pcscf [cmd.c:412]: create_ipsec_tunnel(): Unable to convert ipsec addr4 []
IPsec status:
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-166-generic, x86_64):
uptime: 2 days, since Nov 22 06:36:55 2023
malloc: sbrk 1486848, mmap 0, used 513424, free 973424
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
192.168.0.1
Connections:
ims: 192.168.0.1...%any IKEv1/2
ims: local: [192.168.0.1] uses pre-shared key authentication
ims: remote: uses pre-shared key authentication
ims: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
The text was updated successfully, but these errors were encountered: