Cannot activate UE and N3IWF

[dpinedaa]

Hello! We were able to build Open5gs core and run all of the components. However, when we enabled Wireshark there was not TLS between activate core components. We proceeded to set up and start N3IWF but we are getting following error:

2023-10-25T16:00:30-04:00 [TRAC][N3IWF][Context] Change to 01 2023-10-25T16:00:30-04:00 [WARN][N3IWF][Context] Parse PKCS8 private key failed: x509: failed to parse private key (use ParsePKCS1PrivateKey instead for this key format) 2023-10-25T16:00:30-04:00 [INFO][N3IWF][Context] Parse using PKCS1... 2023-10-25T16:00:30-04:00 [ERRO][N3IWF][Context] Cannot find interface name 2023-10-25T16:00:30-04:00 [ERRO][N3IWF][Init] Initicating context failed

We executed following commands: make amf and sudo ./bin/n3iwf and also changed the amf Ip address in cofing file.

Can you suggest what might be causing the problem or give us detailed step-by-step directions on how to start all of the three components (including open5GS core) together to observe TLS communications?

Please note that we are running everything on the local host. Therefore, we changed 10.0.2.15 machine address to IP of our machine In the open5GS amf config file. The same applies to N3IWF.

[CriXson]

In the readme of the N3IWF repo it mistakenly says 'make amf'. It should be 'make n3iwf'. I fixed that thank you. In the repo is a build n3iwf, but it is better to build your own one.

From your logs I can take that the N3IWF has a problem with the NWU interface. Are the ip's correctly set in the n3iwf config file? The IKEBindAddress should be the ip of the ogstun interface you creasted for the Open5GS core.

Did you create the ipsec link? See readme of my Non-3GPP-Access repo.

Edit: Reproduced the error. You are missing the ogstun interface. Follow the Setting up Tun device instructions here (https://open5gs.org/open5gs/docs/guide/02-building-open5gs-from-sources/)

[CriXson]

If it still does not work, follow up with more informations.

[dpinedaa]

Hello Julius,

Thank you for your prompt response. We followed what you said and we created an IPsec. However, we still get an error.

First of all, we added two subscribers using mongodb as follows.

open5gs> db.subscribers.insertOne({ imsi: '001010000000001', msisdn: [], imeisv: '4301816125816151', mme_host: [], mme_realm: [], purge_flag: [], security: { k: '465B5CE8 B199B49F AA5F0A2E E238A6BC', op: null, opc: 'E8ED289D EBA952E4 283B54E8 8E6183CA', amf: '8000', sqn: NumberLong("513") }, ambr: { downlink: { value: 1, unit: 3 }, uplink: { value: 1, unit: 3 } }, slice: [ { sst: 1, default_indicator: true, session: [ { name: 'internet', type: 3, qos: { index: 9, arp: { priority_level: 8, pre_emption_capability: 1, pre_emption_vulnerability: 1 } }, ambr: { downlink: { value: 1, unit: 3 }, uplink: { value: 1, unit: 3 } }, ue: { addr: '10.45.0.3' }, _id: ObjectId("6473fd45a07e473e0b5334ce"), pcc_rule: [] }], _id: ObjectId("6473fd45a07e473e0b5334cd") }], access_restriction_data: 32, subscriber_status: 0, network_access_mode: 0, subscribed_rau_tau_timer: 12, __v: 0 })
{
  acknowledged: true,
  insertedId: ObjectId("653ab561496a8cb43cff7b7e")
}

open5gs> db.subscribers.insertOne({ imsi: '001011010101001', msisdn: [], imeisv: '4301816125816151', mme_host: [], mme_realm: [], purge_flag: [], security: { k: '465B5CE8 B199B49F AA5F0A2E E238A6BC', op: null, opc: 'E8ED289D EBA952E4 283B54E8 8E6183CA', amf: '8000', sqn: NumberLong("513") }, ambr: { downlink: { value: 1, unit: 3 }, uplink: { value: 1, unit: 3 } }, slice: [ { sst: 1, default_indicator: true, session: [ { name: 'internet', type: 3, qos: { index: 9, arp: { priority_level: 8, pre_emption_capability: 1, pre_emption_vulnerability: 1 } }, ambr: { downlink: { value: 1, unit: 3 }, uplink: { value: 1, unit: 3 } }, ue: { addr: '10.45.0.3' }, _id: ObjectId("6473fd45a07e473e0b5334ce"), pcc_rule: [] }], _id: ObjectId("6473fd45a07e473e0b5334cd") }], access_restriction_data: 32, subscriber_status: 0, network_access_mode: 0, subscribed_rau_tau_timer: 12, __v: 0 })
{
  acknowledged: true,
  insertedId: ObjectId("653ab568496a8cb43cff7b7f")
}

After that, we created an IPsec using this command

**ip link add ipsec0 type vti local LOCAL_UE_IP remote N3IWF_IP key 5**

we put the LOCAL_UE_IP as 10.45.0.3 & N3IWF_IP as our local machine address "enp0s25" 192.168.144.224

We noticed in your open5gs, N3IWF-for-Open5GS, and Non-3GPP-access that you have the address of your VM which is 10.0.2.15. Therefore, we changed it to our local interface 192.168.144.224.

My question is what should be the address of the N3IWF_IP Address Is it our local machine IP address or other address that we should have?

Here are the logs of the Open5gs AMF

./install/bin/open5gs-amfd
Open5GS daemon v2.5.6

10/26 14:58:36.299: [app] INFO: Configuration: '/home/maryna/Desktop/open5gs-tls/Open5GS-EAP-TLS/install/etc/open5gs/amf.yaml' (../lib/app/ogs-init.c:126)
10/26 14:58:36.299: [app] INFO: File Logging: '/home/maryna/Desktop/open5gs-tls/Open5GS-EAP-TLS/install/var/log/open5gs/amf.log' (../lib/app/ogs-init.c:129)
10/26 14:58:36.311: [sbi] INFO: NF Service [namf-comm] (../lib/sbi/context.c:1408)
10/26 14:58:36.311: [sbi] INFO: nghttp2_server() [127.0.0.5]:7777 (../lib/sbi/nghttp2-server.c:150)
10/26 14:58:36.311: [amf] INFO: ngap_server() [192.168.144.224]:38412 (../src/amf/ngap-sctp.c:61)
10/26 14:58:36.312: [sctp] INFO: AMF initialize...done (../src/amf/app.c:33)
10/26 14:58:36.315: [sbi] INFO: [aacfb40e-7431-41ee-aeac-0b7a3b9bfd85] NF registered [Heartbeat:10s] (../lib/sbi/nf-sm.c:214)
10/26 14:58:55.808: [amf] INFO: gNB-N2 accepted[192.168.144.224]:58618 in ng-path module (../src/amf/ngap-sctp.c:113)
10/26 14:58:55.808: [amf] INFO: gNB-N2 accepted[192.168.144.224] in master_sm module (../src/amf/amf-sm.c:668)
10/26 14:58:55.808: [amf] INFO: [Added] Number of gNBs is now 1 (../src/amf/context.c:973)
10/26 14:58:55.808: [amf] INFO: gNB-N2[192.168.144.224] max_num_of_ostreams : 30 (../src/amf/amf-sm.c:707)
10/26 14:59:04.449: [amf] INFO: InitialUEMessage (../src/amf/ngap-handler.c:361)
10/26 14:59:04.449: [amf] INFO: [Added] Number of gNB-UEs is now 1 (../src/amf/context.c:2239)
10/26 14:59:04.449: [amf] INFO:     RAN_UE_NGAP_ID[0] AMF_UE_NGAP_ID[1] TAC[1] CellID[0x10] (../src/amf/ngap-handler.c:503)
10/26 14:59:04.449: [amf] INFO: [suci-0-001-01-0000-0-0-1010101001] Unknown UE by SUCI (../src/amf/context.c:1546)
10/26 14:59:04.449: [amf] INFO: [Added] Number of AMF-UEs is now 1 (../src/amf/context.c:1340)
10/26 14:59:04.449: [gmm] INFO: Registration request (../src/amf/gmm-sm.c:135)
10/26 14:59:04.449: [gmm] INFO: [suci-0-001-01-0000-0-0-1010101001]    SUCI (../src/amf/gmm-handler.c:154)
10/26 14:59:04.455: [amf] INFO: Selected authenticaton method EAP-TLS (../src/amf/nausf-handler.c:88)
10/26 14:59:04.455: [nas] INFO:   EAP_MESSAGE -  (../lib/nas/5gs/ies.c:223)
10/26 14:59:04.455: [nas] INFO: [�] (../lib/nas/5gs/ies.c:224)
10/26 14:59:04.489: [nas] ERROR: Unknown type(0x0) or not implemented
 (../lib/nas/5gs/decoder.c:1697)
10/26 14:59:04.499: [nas] INFO:   EAP_MESSAGE -  (../lib/nas/5gs/ies.c:223)
�] (../lib/nas/5gs/ies.c:224)O: [�
10/26 14:59:04.512: [nas] INFO:   EAP_MESSAGE -  (../lib/nas/5gs/ies.c:223)
] (../lib/nas/5gs/ies.c:224)FO: [��
10/26 14:59:34.528: [gmm] WARNING: [suci-0-001-01-0000-0-0-1010101001] Retransmission failed. Stop retransmission (../src/amf/gmm-sm.c:666)
10/26 14:59:34.528: [amf] WARNING: [suci-0-001-01-0000-0-0-1010101001] Authentication reject (../src/amf/nas-path.c:390)
10/26 15:00:04.537: [amf] WARNING: Implicit NG release (../src/amf/amf-sm.c:776)
10/26 15:00:04.537: [amf] WARNING:     RAN_UE_NGAP_ID[0] AMF_UE_NGAP_ID[1] (../src/amf/amf-sm.c:777)
10/26 15:00:04.537: [amf] INFO: UE Context Release [Action:3] (../src/amf/ngap-handler.c:1412)
10/26 15:00:04.537: [amf] INFO:     RAN_UE_NGAP_ID[0] AMF_UE_NGAP_ID[1] (../src/amf/ngap-handler.c:1413)
10/26 15:00:04.537: [amf] INFO:     SUCI[suci-0-001-01-0000-0-0-1010101001] (../src/amf/ngap-handler.c:1416)
10/26 15:00:04.537: [amf] INFO: [Removed] Number of gNB-UEs is now 0 (../src/amf/context.c:2246)
10/26 15:00:04.537: [amf] INFO: [Removed] Number of AMF-UEs is now 0 (../src/amf/context.c:1426)
10/26 15:01:29.545: [amf] INFO: gNB-N2[192.168.144.224] connection refused!!! (../src/amf/amf-sm.c:720)
10/26 15:01:29.545: [amf] INFO: [Removed] Number of gNBs is now 0 (../src/amf/context.c:1000)

Here are the logs for Non-3GPP-access "sudo ./bin/ue_both_tls"

INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1585 free5gc/src/ue/ue_procedures.handshake() ------------------------------Fragment flag set -----------------------------------------  UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1587 free5gc/src/ue/ue_procedures.handshake() EAP ACK: {120 6 [2 225 0 6 13 0]}             UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:651 free5gc/src/ue/ue_procedures.writeToN3IWF() eapReqGlobal identifier: 30                   UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:653 free5gc/src/ue/ue_procedures.writeToN3IWF() SENDING TO UE                                 UE=Run
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Encoding IKE payloads
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE][EAP] marshal(): Start marshalling
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE][EAP][Expanded] marshal(): Start marshalling
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Encoding IKE message
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE] Start encoding IKE message
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Encoding IKE payloads
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE][Encrypted] marshal(): Start marshalling
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Encoding IKE message
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE] Start encoding IKE message
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Encoding IKE payloads
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE][Encrypted] marshal(): Start marshalling
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:674 free5gc/src/ue/ue_procedures.writeToN3IWF() n3iwfUDPAddr: [0 0 0 0 0 0 0 0 0 0 255 255 10 45 0 1]:%!p(int=500)  UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1463 free5gc/src/ue/ue_procedures.handshake() Handshake not done yet                        UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1466 free5gc/src/ue/ue_procedures.handshake() Chekd engine state 4                          UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1472 free5gc/src/ue/ue_procedures.handshake() Waiting for reply ....                        UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:691 free5gc/src/ue/ue_procedures.replayN3IWF() local address: &{[10 0 0 1] 500 %!d(string=)}  UE=Run
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Decoding IKE message
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Decoding IKE payloads
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE][Encrypted] unmarshal(): Start unmarshalling received bytes
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Encoding IKE message
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE] Start encoding IKE message
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Encoding IKE payloads
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE][Encrypted] marshal(): Start marshalling
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] Decoding IKE payloads
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE][EAP] unmarshal(): Start unmarshalling received bytes
2023-10-26T15:09:22-04:00 [INFO][N3IWF][IKE] [IKE][EAP][Expanded] unmarshal(): Start unmarshalling received bytes
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:734 free5gc/src/ue/ue_procedures.replayN3IWF() EAPREQ: 1, %!p(uint8=142)                     UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1474 free5gc/src/ue/ue_procedures.handshake() Reply received                                UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1483 free5gc/src/ue/ue_procedures.handshake() eapMessage TLS Handshake length: 707          UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1487 free5gc/src/ue/ue_procedures.handshake() eapID : 226                                   UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1526 free5gc/src/ue/ue_procedures.handshake() EAP HEADER: [1 226 2 195 13 0]                UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1539 free5gc/src/ue/ue_procedures.handshake() Counter : 1                                   UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1542 free5gc/src/ue/ue_procedures.handshake() TLS MEssage length to bearssl; 701            UE=Run
-----------------state during write process buf: 4 
-----------------Length buf: 5 
-----------------state during write process buf: 4 
-----------------Length buf: 696 
**INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1545 free5gc/src/ue/ue_procedures.handshake() After wrting enginge state%!(EXTRA int=1)     UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1548 free5gc/src/ue/ue_procedures.handshake() current state%!(EXTRA int=1)                  UE=Run
INFO[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1612 free5gc/src/ue/ue_procedures.handshake() Engine fail: 1                                UE=Run
FATA[2023-10-26T15:09:22-04:00]/src/ue/ue_procedures/registration.go:1614 free5gc/src/ue/ue_procedures.handshake() Error code: 62                                UE=Run**

Attached is the Wireshark pcap file for ngap communication

ngap-5G-EAP-TLS.zip

[CriXson]

I always used the ip from the TUN interface for the N3iWF, which is created for the Open5GS core.

Looking at the wireshark file, the core returns the error 'PLMN not allowed' or 'UE identity cannot be derived', did you use one of the IMSIs you added for the test communication? The MCC should be 001 and MNC 01 in all config files. Additionally look at the logs from ausf and udm/udr, sometimes the wrong error message is returned.