The OpenIMSCore P-CSCF is capable of TLS encrypted connections over the Gm interface.

To enable TLS, the configuration script pcscf.cfg must be modified according to the commented lines. Please check this FAQ for more information on how make your P-CSCF TLS ready.

The TLS User Endpoint does not need a valid certificate, only the P-CSCF server must provide one. In order for the User Endpoint to fully validate the P-CSCF identity, the P-CSCF must probably have a valid signed certificate not a selfsigned one (like tls_prepare.sh script generates).

To test TLS we needed to slightly change SIPp. Here you can find SIPp with this patch applied. Mainly the modifications were required in order to support different SIPp instances for first and second REGISTER.

Remember that for TLS support, SIPp must be compiled with ossl option (make ossl)!

To register via TLS, we use 2 XML scenario files (scenarios/regbob.xml and scenarios/regbob2.xml) with 2 different instances of SIPp, as following :

• The first SIPp instance sends a plain text REGISTER over UDP, with Security-Client set to tls.
• The second SIPp instance handshakes a tls connection to P-CSCF port 4061. The Security-Verify headeris set to the value received in Security-Server header.

A TLS secure connection can be established from the first REGISTER as well(runTLS2.sh script with regbob_tls.xls scenarion file), but OpenIMSCore provides full flexibility according to 3GPP specifications. Find attached a wireshark trace for this scenario (tls_from_begining.pcap) as well.

After a successful REGISTER over a TLS secure connection, any subsequent REGISTER will be marked as being integrity protected.

You can check the attached wireshark trace (tls.pcap) to see the full scenario dump.

The OpenIMSCore P-CSCF is capable of dynamic IPSec communication over the Gm interface.

To test IPSec, we needed to slightly change SIPp. Here you can find SIPp with this patch applied. Mainly the modifications were required in order to extract the Cypher and Integrity Keys and pass them to the IPSec SA creating scripts.

To make a test, after downloading the attachment, run the script file found inside, "runIPSEC.sh". 3 XML scenario files (scenarios/regIPSEC1.xml, scenarios/regIPSEC2.xml, scenarios/regIPSEC3.xml) will be used by 3 different instances of SIPp, as following:

• regIPSEC1.xml - send first register - unprotected, parse the server answer and set the security associations.
• regIPSEC2.xml - send second register (after a 401 response, protected) over a secure established IPSec association.
• regIPSEC3.xml - receive the 200 answer.

The ports used by the simulated User Endpoint are:

• 3061 - for unencrypted traffic
• 12345 - UE client port for IPSec
• 3062 - UE server port for IPSec

For setting the 4 IPSec Security Associations, the following 4 scripts from /opt/OpenIMSCore/ser_ims/modules/pcscf are used:

• ipsec_E_Inc_Rpl.sh
• ipsec_E_Out_Rpl.sh
• ipsec_E_Inc_Req.sh
• ipsec_E_Out_Req.sh

The scripts rely on the setkey utility to set-up the IPSec SAs (the ipsec-tools package).

You can check the attached wireshark trace (ipsec.pcap) to see the full scenario dump. Please keep in mind that the trace is for the local loopback and you will not see any ESP headers. Please use setkey -DpP for dumping the security associations (SAD ans SPD entries).

To use TLS you need first OpenSSL installed. Then you need to re-make ser_ims with the following command:

cd /opt/OpenIMSCore/
make all include_modules=tls

Base on how you have compiled OpenSSL, you might need to add some extra parameters to the make above, like:

make all include_modules=tls TLS_EXTRA_LIBS="-lz -lkrb5" 

Then you need find some certificates for your P-CSCF. The easiest way to do this is to run once the /opt/OpenIMSCore/ser_ims/cfg/tls_prepare.sh. This creates all the files that you need. You will be asked twice for the same information. Make sure that you enter the same organization, group, common-name! If you need to put your own certificates look inside that script and in the /opt/OpenIMSCore/ser_ims/modules/tls/README for more detailed information.

Edit the pcscf.cfg. There are a few lines that you need to uncomment/comment. Here are some that you need (please check carefully the file for any other lines that do not appear in this FAQ, as the information here might be deprecated):

listen=tls:127.0.0.1
tls_port_no=4061
enable_tls=yes
...
modparam("pcscf","use_tls",1)
modparam("pcscf","tls_port",4061)
...
loadmodule "/opt/OpenIMSCore/ser_ims/modules/tls/tls.so"
modparam("tls", "tls_method", "TLSv1")
modparam("tls", "private_key", "/opt/OpenIMSCore/PCSCF_CA/pcscf_private_key.pem")
modparam("tls", "certificate", "/opt/OpenIMSCore/PCSCF_CA/pcscf_cert.pem")
modparam("tls", "ca_list", "/opt/OpenIMSCore/PCSCF_CA/pcscf_ca_list.pem")
modparam("tls", "verify_certificate", 1)
modparam("tls", "require_certificate", 0)
modparam("tls", "tls_disable_compression", 1)

After this, you should be ready. In case that you ask yourself why we haven't enabled the TLS by default, please consider that a lot of people do not need TLS at all and would prefer to stay away from installing OpenSSL and generating certificates that will never be used.

Download and install RTPProxy. You can get it from http://www.iptel.org/downloads. Then start it with the following command line:
rtpproxy -l 1.2.3.4 -s udp:127.0.0.1:34999 -f
Edit the pcscf.cfg and enable the RTPProxy:

Install the ipsec-tools. "setkey" is included there and it is used to set-up the IPSec Security Associations. Also, don't forget to check if you have IPSec AH and ESP compiled in your kernel.