P-CSCF not able to read ESP packets

[psheshupavan]

Hi Supreeth,

Thank you for sharing configurtion files. I have tried installing kamailio and use the configuration files shared and done few test cases. When i am trying to do registration with IPSEC enable, P-CSCF is unable to receive ESP messages and process it. But in wireshak ESP message are visible. I have tried with 5.3, 5.7 and 5.8 versions of Kamailio.

I have gone through all the messages posted for IPSEC issue in internet and configured as mentioned. My tool and P-CSCF server both are in same lan. REGISTER and 401 exchanges are properly done. After receving 401, UE is sending REGISTER message in ESP to P-CSCF but it is not able to receive message. In wireshark those messages are visible.

I have tried on Ubuntu 18 and 20 versions

Please find the trace screenshot below,

Please help me how to processed.

Thanks and Regards, Pavan

[psheshupavan]

Hi Supreeth,

I also tried upstream_master code and tested but still P-CSCF is not able to process ESP messages. Please find the logs attached. Please let me know is there any cnfiguration i need to do.

Thanks and Regards, Pavan IPSECRegister.txt

[herlesupreeth]

@psheshupavan Please attach a pcap as its helpful to debug rather than logs

Just by looking at the image I am guessing that 401 Challenge is failing, which indicates that there is disparity between the SIM Ki/OP/OPc configured in the SIM vs the same fields configured in IMS HSS

[psheshupavan]

Hi Supreeth,

Thank you so much for your response. Please find the attached pcap traces.

Also please find output of xfrm. src 10.252.0.2/32 dst 192.168.149.106/32 sport 32001 dport 5100 uid 144282632 dir in action allow index 1056 priority 2080 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2024-09-20 16:15:10 use - tmpl src 10.252.0.2 dst 192.168.149.106 proto esp spi 0x00000000(0) reqid 4097(0x00001001) mode transport level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 192.168.149.106/32 dst 10.252.0.2/32 sport 5100 dport 32001 uid 144282632 dir out action allow index 1065 priority 2080 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2024-09-20 16:15:10 use - tmpl src 192.168.149.106 dst 10.252.0.2 proto esp spi 0x00000000(0) reqid 256(0x00000100) mode transport level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 192.168.149.106/32 dst 10.252.0.2/32 sport 6100 dport 32000 uid 144282632 dir out action allow index 1073 priority 2080 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2024-09-20 16:15:10 use - tmpl src 192.168.149.106 dst 10.252.0.2 proto esp spi 0x00000000(0) reqid 257(0x00000101) mode transport level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 10.252.0.2/32 dst 192.168.149.106/32 sport 32000 dport 6100 uid 144282632 dir in action allow index 1080 priority 2080 share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2024-09-20 16:15:10 use - tmpl src 10.252.0.2 dst 192.168.149.106 proto esp spi 0x00000000(0) reqid 4096(0x00001000) mode transport level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

Thank you Pavan ipsec12.zip

[herlesupreeth]

Are you running the P-CSCF as root? If not, I would suggest to do so.

Also, I noticed that there is no response to TCP SYN. Upon closer observation I see that the UE is sending correctly the ESP packet from port-c 32001 to P-CSCF server port 6100. But, in the above xfrm output I dont see that policy created to decode ESP packet.

[psheshupavan]

Hi Supreeth,

Thank you for response.

I am running P-CSCF as root. I also have checked all the vriables configured in HSS with the SIM variables. Using tools i also calculated all the vriables from Nonce received in 401. As you mention i have observed no response to TCP SYN. Is there anything i need to configure in P-CSCF, please help me to know.

Thanks and Regards, Pavan

[herlesupreeth]

Are you sure you are using the configuration files in this repository? and changed the IP address according to your setup?

I am asking this because I use the same configuration files in my docker setup and it works just fine.

[psheshupavan]

Hi Supreeth,

Please find below screenshots taken from server when kamailio is running,

version: kamailio 5.8.0-dev2 (x86_64/linux)

flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, MEM_JOIN_FREE, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED

ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_SEND_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB

poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.

id: unknown

compiled on 07:25:30 Sep 20 2024 with gcc 9.4.0

Some time am getting this error

Please sugguest what configuration else i need to do.

Thanks and Regards, Pavan