The OpenIMSCore P-CSCF is capable of dynamic IPSec communication over the Gm interface.

To test IPSec, we needed to slightly change SIPp. Here you can find SIPp with this patch applied. Mainly the modifications were required in order to extract the Cypher and Integrity Keys and pass them to the IPSec SA creating scripts.

To make a test, after downloading the attachment, run the script file found inside, "runIPSEC.sh". 3 XML scenario files (scenarios/regIPSEC1.xml, scenarios/regIPSEC2.xml, scenarios/regIPSEC3.xml) will be used by 3 different instances of SIPp, as following:

• regIPSEC1.xml - send first register - unprotected, parse the server answer and set the security associations.
• regIPSEC2.xml - send second register (after a 401 response, protected) over a secure established IPSec association.
• regIPSEC3.xml - receive the 200 answer.

The ports used by the simulated User Endpoint are:

• 3061 - for unencrypted traffic
• 12345 - UE client port for IPSec
• 3062 - UE server port for IPSec

For setting the 4 IPSec Security Associations, the following 4 scripts from /opt/OpenIMSCore/ser_ims/modules/pcscf are used:

• ipsec_E_Inc_Rpl.sh
• ipsec_E_Out_Rpl.sh
• ipsec_E_Inc_Req.sh
• ipsec_E_Out_Req.sh

The scripts rely on the setkey utility to set-up the IPSec SAs (the ipsec-tools package).

You can check the attached wireshark trace (ipsec.pcap) to see the full scenario dump. Please keep in mind that the trace is for the local loopback and you will not see any ESP headers. Please use setkey -DpP for dumping the security associations (SAD ans SPD entries).