Issue with GTP0 not receiving packets in my setup

fprdkhti · February 18, 2025, 8:08am

Hi
I have set up the following components:

SWU client
Osmo StrongSwan
Osmo ePDG

The processes of IKE init and IKE auth are progressing well. On the UE side, within the netns namespace, a network interface is created, and on the ePDG side, a gtp0 interface and a GTP tunnel are established.

However, gtp0 does not show an IPv4 address when running ip -br a; only an IPv6 address is displayed (this might be the issue?). for this I added an ipv4 to it manually with command : ip addr add 10.45.0.50 dev gtp0

When I try to send a packet from the UE side to 8.8.8.8 using ip netns exec internet ping 8.8.8.8, the packet reaches strongSwan, and it decrypts the packet, but the packet does not reach gtp0. the ens160 gets it.

I even added a route manually to forward packets destined for 8.8.8.8 to gtp0:
8.8.8.8 dev gtp0 scope link

But it still doesn’t work. Can anyone help me understand what the issue could be?

pespin · February 18, 2025, 2:56pm

Hi,

I’m taking from the top of my head here and I may be wrong, but the way ipsec works is that the traffic first shows up in the incoming network interface (let’s call it “incoming0” here), then the kernel decodes the internal pkt in it and then injects the internal pkt as if it was coming from that same interface.

See https://www.rsquare.org/wp-content/uploads/2013/01/Netfilter-packet-flow1.png to better understanf what I’m saying, it’s illustrated there ( see “xfrm decode”).

So basically that means you still need to properly route the internal traffic from “incoming0” to “gtp0”.

I advice you to use “ip route get” to figure out the outcome of routing, eg:
“ip route get 8.8.8.8 from UE.IP.ADDR.HERE iif incoming0”

You may also want to look at ansible-prototype/roles/epdg at master - ims-volte-vowifi/ansible-prototype - Osmocom gitea for ideas on what’s needed.

See for instance:

lynxis · February 18, 2025, 5:17pm

I think the missing part is the network routing and network setup.
In the context of user data traffic of a UE:

strongswan takes care of the ipsec side
osmo-epdg takes care of the gtp side

but in between you need to setup routing.
We use nftables to add a mark to incoming gtp packages from the gtp0 interface.
strongswan will add a mark to ipsec packages

Additional we use policy routing and separate routing tables based on the mark.

fprdkhti · March 8, 2025, 9:38am

Sorry for the delay in responding.
Thanks for your insights!

I don’t think this is a routing issue. When I use the command:

hping3 -1 -a 10.45.0.5 8.8.8.8

the packets are processed correctly, and everything works as expected. This suggests that routing is set up properly.

The key difference in my case is that the packets, after being decrypted by Strongswan, are not being forwarded correctly. I already have this route in my main routing table:

8.8.8.8 dev gtp0 scope link

Additionally, the following rules were created by Ansible:

220: from all fwmark 0x2 lookup epdg 220: from all fwmark 0x4 lookup 220

And the epdg routing table contains:

default dev gtp0 scope link

Given this setup, it seems like the issue is not routing itself but rather something related to how Strongswan is handling, changing or forwarding the decrypted packets.

Any additional insights on why packets from Strongswan aren’t reaching gtp0 would be appreciated.