Unable to establish SWu/IKEv2 connection

Hey osmocom

Hope all is well

I want to deploy a VoWifi lab using the osmocom approach, I’ve deployed Open5gs, strongswan (Osmo-version), and Osmo-edge. When I connect a phone to my lab wifi I get the IPsec to initialize negotiation (IKEv2) and auth begin

But auth didn’t work (except after receiving the first auth from ue SWx, s2b and s6b begin). Also I have two other error in strongswan logs first one is:

sending packet: from 192.168.21.66[500] to 192.168.26.85[42303] (38 bytes)
epdg: Invalid NAT (null).
epdg listener: updown: imsi UNKNOWN: IKE SA went down

and the second one is

parsed IKE AUTH request 1 [ IDi IDr CPRQ(PCSCF4 DNS DNS MASK ADDR) SA TSi TSr Jlooking for peer configs matching 192.168.21.66[ims] . ..192.168.20.85[0432112971399293Gnai .epc.mnc@11 .mcc432. 3gppnetwork.org]
no matching peer config found

also osmo-epdg printed out some logs like below that I don’t know is it ok or not

[info] Peer down: {<0.1668.0>,{diameter_caps,{"epdg.localdomain","hss.localdomain"},{"localdomain","localdomain"},{[{127,0,0,1},{192,168,21,66},{172,17,0,1}],[{127,0,0,8},{192,168,21,63}]},{0,0},{"osmo-epdg","freediameter"},{[],[1736077419]},{[10415,13019,5535],[5535,10415,13019]},{[],[]},{[],[]},{[],[]},{[{'diameter_base_Vendor-Specific-Application-Id',10415,[16777265],[]}],[{'diameter_base_Vendor-Specific-Application-Id',[10415],[16777216],[]},{'diameter_base_Vendor-Specific-Application-Id',[10415],[16777251],[]},{'diameter_base_Vendor-Specific-Application-Id',[10415],[16777265],[]}]},{[],[10500]},{[],[]}}}

I also tested with https://gitea.osmocom.org/ims-volte-vowifi/SWu-IKEv2 but the connection won’t established too,

I have two questions:

  • could you please provide a sample traffic that newbee could see as an example and help them find out where the problem is?
  • would you please give me some advice on how to fix the problem?

Best
Ali

Warning A lot of people are currently either sick or on holidays, or just returning with a big backlog.

I guess lynxis or @jolly might be able to help. For the client side, he recently wrote a rather comprehensive tutorial at https://osmocom.org/projects/foss-ims-client/wiki/VoWiFi_with_Asterisk

Sorry OP for hijacking your thread

I have tried the aforementioned SWU-emulator script to connect to carrier’s production ePDG, but the server returns error 14 (No proposal chosen) right away. Could that be due to mismatched algorithms (encryption/key exchange/integrity) or some other factor and is there any known way around this (provided I obviously don’t have access to the server logs/settings)? Thanks a lot.

It is hard to give any response to this without detailed logs, pcap files of the IKE traffic, etc.

In general I would suggest to also try the StrongSwan based approach, as StrongSwan is a much more mature, production-ready IPsec/IKEv2 implementation than the proof-of-concept / lab-grade SWu-Emulator-Script. The latter is a great hack (and achievement!), no doubt.

I suggest to collect bug reports at https://osmocom.org/projects/foss-ims-client/issues - I cannot guarantee they will be looked into, especially not if we have no way to obtain a SIM card from the respective operator to test ourselves… but at least we get a collection of things that don’t work with what specific operator… Thanks!