Ipsec Support and Volte Components Updates: by Aleksandar Yosifov

This document discusses updates to IPSec support and VoLTE components in Kamailio. It describes new features like support for additional IPSec algorithms, IPv6 improvements, and TCP support. It also covers improvements to the S-CSCF module and an extended P-CSCF location table. The document provides examples of IPSec configuration parameters in Kamailio and discusses best practices for using IPSec with TCP and multiple connections.

Uploaded by

datura098c

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

108 views13 pages

Ipsec Support and Volte Components Updates: by Aleksandar Yosifov

Uploaded by

datura098c

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 13

IPSec Support And

VoLTE Components
Updates
by Aleksandar Yosifov
About Me
 C/C++ developer since 2005
 Previous experience
 Parking & Access control systems
 Gambling industry
 Current – Telecom industry since 2013
 Leading Core Network team since March 2019
 Integrating VoLTE using Kamailio SIP server
 Myself
 VoIP engineer
 QA/Telecom engineer
New features
 IPSec supported algorithms:
 Sha1(default) and md5 - parsed from
REGISTER msg
 Encapsulating Security Payload
 IPv6
 Improvements in ims_registrar/usrloc_pcscf
modules
 TCP support
 IPv4 and/or IPv6 listen interfaces
 4 SAs and policies
New features
 Extended P-CSCF location table
 New match key – received_port column – because of Re-Registration
 New columns – port_pc, port_ps, t_port_pc, t_port_ps
Improvements
 S-CSCF

 Single NOTIFY to the subscribers after Re-Registration

 Single Contact in 200OK reply for UE Re-Registration

 List all contacts in NOTIFY body when a contact expires

 Delete expired contact from the DB after expiration

NOTIFY body with terminated contact
IPSec in Kamailio IMS deployments
 kamailio.cfg
…
tcp_reuse_port=yes
…
#ims registrar pcscf module is bound to the ims ipsec pcscf module.
loadmodule "ims_ipsec_pcscf"
loadmodule "ims_registrar_pcscf"
…
modparam("ims_ipsec_pcscf", "ipsec_listen_addr6", "fd14::211:2eff:feec:d4be")
modparam("ims_ipsec_pcscf", "ipsec_listen_addr", "192.168.1.11")
modparam("ims_ipsec_pcscf", "ipsec_client_port", 5100) # Send from this port to UE server port
modparam("ims_ipsec_pcscf", "ipsec_server_port", 6100) # Receive on this port from UE client port
modparam("ims_ipsec_pcscf", "ipsec_reuse_server_port", 1) # by default is 1, can be skipped here
modparam("ims_ipsec_pcscf", "ipsec_max_connections", 2)
modparam("ims_ipsec_pcscf", "ipsec_spi_id_start", 100) # by default is 100, can be skipped here
modparam("ims_ipsec_pcscf", "ipsec_spi_id_range", 4) # by default is 1000, can be skipped here
…
IPSec in Kamailio IMS deployments
 tcp_reuse_port=yes
 Must be always set to “yes” when TCP is used
 https://www.kamailio.org/wiki/cookbooks/5.3.x/core#tcp_reuse_port
 Allows reuse of TCP ports. This means, for example, that the same TCP ports on
which Kamailio is listening on, can be used as source ports of new TCP connections
when acting as an UAC. Kamailio must have been compiled in a system
implementing SO_REUSEPORT (Linux > 3.9.0, FreeBSD, OpenBSD, NetBSD, MacOSX).
This parameter takes effect only if also the system on which Kamailio is running on
supports SO_REUSEPORT.
 ipsec_reuse_server_port
 If set to 1 – reuse the old P-CSCF server port during Re-Registration. Only a new P-
CSCF client port will be distributed.
IPSec in Kamailio IMS deployments
 ipsec_forward()
 IPSEC_SEND_FORCE_SOCKET(0x01) - Useful for IPSec and TCP. If set to 1 - send requests
through an existing IPSec tunnel when TCP is used. In combination with
tcp_reuse_port=yes
 IPSEC_REVERSE_SEARCH(0x02)– helps to use the newest SAs for Requests to the UE
(contact aliases are disabled)
 onreply_route[REGISTER_reply] & onreply_route[MO_reply]
 ipsec_forward(“location”,”1”);
 route[REQINIT]
 ipsec_forward(“location”,”3”);

 ipsec_create()
 IPSEC_CREATE_DELETE_UNUSED_TUNNELS(0x01) - delete unused tunnels before each
registration – is a must to be used when contact aliases are disabled.
 onreply_route[REGISTER_reply]
 if (t_check_status("401")) { ipsec_create("location","1") }
IPSec in Kamailio IMS deployments
 Exclude contact alias
 kamailio.cfg
route {
...
} else {
force_rport();
#!ifdef WITH_CONTACT_ALIAS
if(is_method("INVITE|SUBSCRIBE|UPDATE|REGISTER")) {
add_contact_alias();
}
#!endif
...
}
...
# Handle requests within SIP dialogs
route[WITHINDLG] {
if (has_totag()) {
#!ifdef WITH_CONTACT_ALIAS
if(!isdsturiset()) {
handle_ruri_alias();
}
#!endif
...
IPSec in Kamailio IMS deployments
76 route[NATMANAGE] {
 Exclude contact alias ...
if ((is_reply() && ($T_req($tt) != $null)) || (is_request() && has_totag())) {
 rtp.cfg if(!check_route_param("rm=") && !isflagset(FLT_RTP)) {
return;
}
#!ifdef WITH_CONTACT_ALIAS
if (is_request()) {
if (isflagset(FLT_MOBILE_ORIG) && is_direction("downstream")) {
add_contact_alias();
} else if (!isflagset(FLT_MOBILE_ORIG) && is_direction("upstream")) {
add_contact_alias();
}
} else {
if (!isflagset(FLT_MOBILE_ORIG) && is_direction("downstream")) {
add_contact_alias();
} else if (isflagset(FLT_MOBILE_ORIG) && is_direction("upstream")) {
add_contact_alias();
}
}
#!endif
}
#!ifdef WITH_CONTACT_ALIAS
else {
if (is_reply() && !isflagset(FLT_MOBILE_ORIG)) {
add_contact_alias();
}
}
#!endif
...
IPSec with TCP and 2 connections

tcp 0 0 192.168.1.11:5100 0.0.0.0:* LISTEN 14626/kamailio

tcp 0 0 192.168.1.11:5101 0.0.0.0:* LISTEN 14626/kamailio
tcp 0 0 192.168.1.11:6100 0.0.0.0:* LISTEN 14626/kamailio
tcp 0 0 192.168.1.11:6101 0.0.0.0:* LISTEN 14626/kamailio
tcp 0 0 192.168.1.11:5060 0.0.0.0:* LISTEN 14626/kamailio
tcp6 0 0 fd14::211:2eff:fee:5100 :::* LISTEN 14626/kamailio
tcp6 0 0 fd14::211:2eff:fee:5101 :::* LISTEN 14626/kamailio
tcp6 0 0 fd14::211:2eff:fee:6100 :::* LISTEN 14626/kamailio
tcp6 0 0 fd14::211:2eff:fee:6101 :::* LISTEN 14626/kamailio
tcp6 0 0 fd14::211:2eff:fee:5060 :::* LISTEN 14626/kamailio
Thank you for your attention!

Q&A

Checkpoint Interview
100% (1)
Checkpoint Interview
18 pages
Cisco 350-401 ENCOR Exam: Key Topics and Questions
No ratings yet
Cisco 350-401 ENCOR Exam: Key Topics and Questions
33 pages
Trace Rainbow
No ratings yet
Trace Rainbow
6 pages
Kernel Debug
No ratings yet
Kernel Debug
6 pages
60 29 165 90va
No ratings yet
60 29 165 90va
2 pages
Configuration CME UC540
No ratings yet
Configuration CME UC540
14 pages
CCNA New
No ratings yet
CCNA New
18 pages
eTC Fail
No ratings yet
eTC Fail
17 pages
HCIA-R&S V2.5 Training & CCNA Practice
No ratings yet
HCIA-R&S V2.5 Training & CCNA Practice
28 pages
156 915.80 Premium
100% (1)
156 915.80 Premium
108 pages
Cisco 200 301 Ccna Dumps by Klein 29-01-2024 12qa Dumpssheet
No ratings yet
Cisco 200 301 Ccna Dumps by Klein 29-01-2024 12qa Dumpssheet
13 pages
300 101
0% (1)
300 101
484 pages
Mikrotik Mtcna Test 31 35
No ratings yet
Mikrotik Mtcna Test 31 35
5 pages
Soal Mtcna-Mtcre Q
No ratings yet
Soal Mtcna-Mtcre Q
10 pages
Answer:A & E
No ratings yet
Answer:A & E
17 pages
Solution For ACL Question 100% Correct
No ratings yet
Solution For ACL Question 100% Correct
14 pages
Testking 350 001 Edt26 1 6339
No ratings yet
Testking 350 001 Edt26 1 6339
141 pages
The Ordinary Function and Cases - Zycoo
No ratings yet
The Ordinary Function and Cases - Zycoo
51 pages
Configure FTD High Availability On Firepower Appliances: Requirements
No ratings yet
Configure FTD High Availability On Firepower Appliances: Requirements
33 pages
BNB Bumthang Config Backup 25112016
No ratings yet
BNB Bumthang Config Backup 25112016
8 pages
MikroTik RouterOS Configuration Quiz
No ratings yet
MikroTik RouterOS Configuration Quiz
15 pages
H12-831 - V1.0 HCIP-Datacom-Advanced Routing & Switching Technology V1.0 Exam Practice Questions
No ratings yet
H12-831 - V1.0 HCIP-Datacom-Advanced Routing & Switching Technology V1.0 Exam Practice Questions
24 pages
Discover
No ratings yet
Discover
2 pages
Ee PDF V2019-Apr-13 by Ken 279q Vce
No ratings yet
Ee PDF V2019-Apr-13 by Ken 279q Vce
9 pages
Escuela Superior Politecnica Del Litoral
No ratings yet
Escuela Superior Politecnica Del Litoral
8 pages
VoIP Configuration for SIP and H323
No ratings yet
VoIP Configuration for SIP and H323
16 pages
Telekom Connection Request Reject
No ratings yet
Telekom Connection Request Reject
4 pages
SIP Exercise
No ratings yet
SIP Exercise
10 pages
NSF Wireshark: Look For Repeated USER and PASS Commands
No ratings yet
NSF Wireshark: Look For Repeated USER and PASS Commands
26 pages
Troubleshooting BGP Flaps over IPSec
No ratings yet
Troubleshooting BGP Flaps over IPSec
12 pages
230q File PDF
No ratings yet
230q File PDF
135 pages
Checkpoint Pass4sure 156-315 77 v2015-03-09 by Angelo 519q
No ratings yet
Checkpoint Pass4sure 156-315 77 v2015-03-09 by Angelo 519q
194 pages
Log Iotc
No ratings yet
Log Iotc
649 pages
Soal Ujian Sertifikasi Mikrotik (English)
No ratings yet
Soal Ujian Sertifikasi Mikrotik (English)
8 pages
TC_INVOKE_REQ Message Details
No ratings yet
TC_INVOKE_REQ Message Details
7 pages
Cisco: Exam Questions 200-125
No ratings yet
Cisco: Exam Questions 200-125
9 pages
Combine
No ratings yet
Combine
10 pages
Cisco Answer
No ratings yet
Cisco Answer
28 pages
San Jose
No ratings yet
San Jose
14 pages
Question01 CCNA
No ratings yet
Question01 CCNA
23 pages
MRL SG
No ratings yet
MRL SG
5 pages
Router VoIp
No ratings yet
Router VoIp
4 pages
C. l2tp Users D. PPTP Users E. Pppoe Users
No ratings yet
C. l2tp Users D. PPTP Users E. Pppoe Users
5 pages
Answer:A & E
No ratings yet
Answer:A & E
15 pages
ActualTests Cisco 350-030 ExamCheatSheet v01.16.04
No ratings yet
ActualTests Cisco 350-030 ExamCheatSheet v01.16.04
29 pages
300 101
No ratings yet
300 101
102 pages
CCNA
No ratings yet
CCNA
22 pages
100-150 Cisco Certified Support Technician (CCST) Networking Practice Questions
No ratings yet
100-150 Cisco Certified Support Technician (CCST) Networking Practice Questions
8 pages
Mikrotik Basix MTCNA Exam
No ratings yet
Mikrotik Basix MTCNA Exam
7 pages
SW Core Pku Spring
No ratings yet
SW Core Pku Spring
20 pages
Re - (Packetfence-Users) Packetfence & Nessus Configuration - PacketFence
No ratings yet
Re - (Packetfence-Users) Packetfence & Nessus Configuration - PacketFence
17 pages
Vulnerability Assessment Report
No ratings yet
Vulnerability Assessment Report
23 pages
Ccna Sample Question
No ratings yet
Ccna Sample Question
25 pages
Unit 3 Windows Server Configuration
No ratings yet
Unit 3 Windows Server Configuration
14 pages
FG621 Ea
No ratings yet
FG621 Ea
3 pages
BRKRST 1014
No ratings yet
BRKRST 1014
85 pages
FIT1047 Applied Session Week 07
No ratings yet
FIT1047 Applied Session Week 07
4 pages
Wireless LANs & IEEE 802.11 Overview
No ratings yet
Wireless LANs & IEEE 802.11 Overview
42 pages
CH 22
No ratings yet
CH 22
43 pages
Modernized Iot
No ratings yet
Modernized Iot
12 pages
IKE and ISAKMP for Network Security
No ratings yet
IKE and ISAKMP for Network Security
58 pages
Unit 4 (Part 1)
No ratings yet
Unit 4 (Part 1)
64 pages
IPv4 Addressing and Subnetting Workbook - Student Version v2.1
67% (3)
IPv4 Addressing and Subnetting Workbook - Student Version v2.1
89 pages
Routing Protocols for Network Engineers
No ratings yet
Routing Protocols for Network Engineers
33 pages
Cisco Callmanager and H.323 Gateway Interaction Issues: Document Id: 10127
No ratings yet
Cisco Callmanager and H.323 Gateway Interaction Issues: Document Id: 10127
4 pages
Configure PPPoEoVLAN for IPv4 Users
No ratings yet
Configure PPPoEoVLAN for IPv4 Users
7 pages
Rangkuman Materi Sosiologi Kelas XI SMA "Masalah Sosial"
No ratings yet
Rangkuman Materi Sosiologi Kelas XI SMA "Masalah Sosial"
220 pages
Setting Up WAN Emulation Using WAN-Bridge Live-CD v1.10
No ratings yet
Setting Up WAN Emulation Using WAN-Bridge Live-CD v1.10
8 pages
Chapter 2 - Configuring A Network Operating System
No ratings yet
Chapter 2 - Configuring A Network Operating System
59 pages
Nmap Network Discovery III Reduced Size PDF
50% (2)
Nmap Network Discovery III Reduced Size PDF
937 pages
Lecture 1 Network2
No ratings yet
Lecture 1 Network2
37 pages
1.1 Ospf Features and Characteristics: Module 1: Single-Area Ospfv2 Concepts
No ratings yet
1.1 Ospf Features and Characteristics: Module 1: Single-Area Ospfv2 Concepts
8 pages
PAN LAN MAN WAN and HISTORY OF INTERNET
No ratings yet
PAN LAN MAN WAN and HISTORY OF INTERNET
6 pages
Radware DDOS v1
No ratings yet
Radware DDOS v1
22 pages
List of TCP and UDP Port Numbers
No ratings yet
List of TCP and UDP Port Numbers
52 pages
Performance Analysis of DiffServ Based Q PDF
No ratings yet
Performance Analysis of DiffServ Based Q PDF
9 pages
Network Gateways Explained
No ratings yet
Network Gateways Explained
11 pages
IPsec Tunnel Setup Guide
No ratings yet
IPsec Tunnel Setup Guide
12 pages
BRKSPG-2904-2904 - Cisco Live Session - v2-CL PDF
No ratings yet
BRKSPG-2904-2904 - Cisco Live Session - v2-CL PDF
182 pages
PS404 4PMBGW
No ratings yet
PS404 4PMBGW
2 pages
Datasheet External Antenna 2000 - Alpha-Con-V7
No ratings yet
Datasheet External Antenna 2000 - Alpha-Con-V7
4 pages
Sagemcom Fast 1704 ENG
No ratings yet
Sagemcom Fast 1704 ENG
2 pages
Networking Concepts For DevOps Engineers 170132099
No ratings yet
Networking Concepts For DevOps Engineers 170132099
11 pages

Ipsec Support and Volte Components Updates: by Aleksandar Yosifov

Uploaded by

Ipsec Support and Volte Components Updates: by Aleksandar Yosifov

Uploaded by

IPSec Support And

 Single NOTIFY to the subscribers after Re-Registration

 Single Contact in 200OK reply for UE Re-Registration

 List all contacts in NOTIFY body when a contact expires

 Delete expired contact from the DB after expiration

tcp 0 0 192.168.1.11:5100 0.0.0.0:* LISTEN 14626/kamailio

You might also like