Difference between revisions of "7lab"
(→OpenVPN Server configs) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 243: | Line 243: | ||
# Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz | # Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz | ||
− | # Create server keys | + | # edit vars |
+ | # ./build-dh | ||
+ | # ./pkitool --initca | ||
+ | # Create server keys: ./pkitool --server myserver | ||
# Copy them to /etc/openvpn: | # Copy them to /etc/openvpn: | ||
# cp keys/ca.* /etc/openvpn/ | # cp keys/ca.* /etc/openvpn/ | ||
# cp keys/server1.* /etc/openvpn/ | # cp keys/server1.* /etc/openvpn/ | ||
− | # cp keys/ | + | # cp keys/dh1024.pem /etc/openvpn/ |
# Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf | # Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf | ||
# edit /etc/openvpn/server.conf | # edit /etc/openvpn/server.conf | ||
Line 339: | Line 342: | ||
== XOT == | == XOT == | ||
* http://www.fyonne.net/ | * http://www.fyonne.net/ | ||
+ | |||
+ | = Links = | ||
+ | * http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=site%3Ahttp%3A%2F%2Fwww.eurescom.eu%2F~pub-deliverables%2F+security+ss7&aq=f&oq=&aqi= |
Latest revision as of 23:26, 10 November 2009
Intro
Testing with:
- Dynagen & Dynamips (GNS3 not yet working on my Mac)
Future:
- Asterisk with chan-ss7
- Intel SS7 stack
- OpenSS7 new release
- Kannel
Network
Addressing
tmp (France)
- 10.42.0-9.x
- R1 dynamips Cisco ITP
- 10.0.0.150
- 10.42.1.1
- PC: 4.2.1
- x25: x25routerR1 250
- R2 dynamips Cisco ITP
- 10.0.0.160
- 10.42.2.1
- PC: 4.2.2
- x25: x25routerR2 150
- NET Intel SS7: 10.42.5.x
- tee1 - Debian 5.02
- 10.0.0.51
- 10.42.5.1
- IP Router, add it:
- tee1 - Debian 5.02
route add -net 10.42.5.0 10.0.0.51 255.255.0.0
- tee2 - Debian 5.02
- 10.0.0.52
- 10.42.5.2
- tee2 - Debian 5.02
- NET Clients VPNSSL: 10.42.8.x
- tee1 - Debian 5.02
- 10.42.8.1
- tee1 - Debian 5.02
bkk (Bangkok, Thailand)
- 10.42.32.x
- kin 10.211.55.7, 10.42.32.102
- mac (parallels 10.211.55.3) 10.42.32.2 VM: kin
- kiwi 10.42.32.1 VM: 10.42.32.101
tw (Taiwan)
- 10.42.50-59.x
Source Configuration
GIT
- There is a GIT repository
Commands
- Get your copy
git clone ssh://sevenbone@penguins.dreamhost.com/~/git/7bone.git 7bone
- Make some modification and compare
git diff
- Update your local copy with the master repository changes
git pull
- Add some files to your GIT repository
git add File14 git add Dir32
- Commit these changes and new files to your local GIT repository
git commit -m "Comment message here"
- Push your changes to the master repository
git push origin master
Installation
OpenSS7
On Ubuntu 8.04 (only this version, highly kernel version dependent)
apt-get install groff-base info bison flex apt-get install linux-libc-dev libc6-dev libperl-dev ./configure --without-snmp make make install
M3UA
- Check /home/user/openss7-0.9.2.G/sigtran-0.9.2.4/src/modules/m3ua_as.c
SCTPlib
- http://sctp.de/sctp-download.html
- On MacOS X there are some NKE to be loaded (http://sctp.fh-muenster.de/sctp-nke.html)
kextload /System/Library/Extensions/SCTP.kext
- In order to compile the examples programs (echo_tool etc...) with SCTPlib:
gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp -I/opt/local/include/glib-2.0 \ -I/opt/local/lib/glib-2.0/include -I/opt/local/include -g -O2 \ -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \ -I/opt/local/include -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \ -D_THREAD_SAFE -o echo_server echo_server.c sctp_wrapper.c -lsctplib gcc -DHAVE_CONFIG_H -I. -I../.. -I./../sctp -I/opt/local/include/glib-2.0 \ -I/opt/local/lib/glib-2.0/include -I/opt/local/include -g -O2 \ -I/opt/local/include/glib-2.0 -I/opt/local/lib/glib-2.0/include \ -I/opt/local/include -DDARWIN -DUSE_SELECT -Wall -g3 -O0 -D_REENTRANT \ -D_THREAD_SAFE -o echo_tool echo_tool.c sctp_wrapper.c -lsctplib
- NKE and SCTPlib are mutually exclusive.
Intel / Dialogic SS7 stack
- Commercial stack
- 10h license free runtime
- http://resource.dialogic.com/telecom/support/ss7/cd/hostprotocolsoftware/index.htm
- http://www.dialogic.com/support/helpweb/signaling/
Configuration differences between two peers
- Useful bits
- For logging
FORK_PROCESS ./s7_log -fms7.log -o0xff1f -pms7.pcap
- Between two different configs
# diff upd/RUN/MTR/M2PA_CONFIG/config.txt upd/RUN/MTU/M2PA_CONFIG/config.txt 6c6,8 < CNSYS:IPADDR=192.168.0.2,PER=0; --- > CNSYS:IPADDR=192.168.0.1,PER=0; > * > SNSLI:SNLINK=1,IPADDR=192.168.0.2,SNEND=C,SNTYPE=M2PA,M2PA=1,PPORT=3565; 8,9d9 < SNSLI:SNLINK=1,IPADDR=192.168.0.1,SNEND=S,SNTYPE=M2PA,M2PA=1,PPORT=3565; < * 16,17c16,17 < * <ssf> < MTP_LINKSET 0 1 1 0x0000 2 0x08 --- > * <ssf> > MTP_LINKSET 0 2 1 0x0000 1 0x08 26c26 < MTP_ROUTE 1 0 0x0008 --- > MTP_ROUTE 2 0 0x0008 31c31 < SCCP_CONFIG 2 0x8 0x0102 --- > SCCP_CONFIG 1 0x8 0x0102 39c39 < SCCP_SSR 1 RSP 1 0 0x0000 --- > SCCP_SSR 1 RSP 2 0 0x0000 47c47 < SCCP_SSR 3 RSS 1 0x08 0 --- > SCCP_SSR 3 RSS 2 0x08 0
Commands for MTU/MTR
- Link activation
./mtpsl ACT 0 0
- SS7 MSU Play
./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
- Combined
(./gctload -csystem.txt -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7
(./gctload -csystem.txt -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5; ./s7_play -f../intel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ;\ sleep 5; /mnt/remote/Documents/7bone/intel-stacks/upd/BIN/BACKUP_LNX/mtu -m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"
./gctload -x; sleep 3; (./gctload -csystem.txt -d &) ; sleep 5; ./mtpsl ACT 0 0; sleep 5;\ ./s7_play -fintel-dev-upd/RUN/MTU/SCRIPTS/mtucfg.ms7 ; sleep 5; ./intel-dev-upd/BIN/BACKUP_LNX/mtu\ -m0x2d -g43010008 -a43020008 -i987654321 -s"Hello world"
Configurations
Hamachi
Quick Start Run 'make install' and then 'tuncfg' from under the root account Run 'hamachi-init -c /etc/hamachi' to generate crypto identity (any account). Run 'hamachi start' to launch Hamachi daemon. Run 'hamachi login' to put the daemon online and to create an account. Run 'hamachi join <network>' to join the network. Run 'hamachi go-online <network>' to go online in the network. Run 'hamachi list' to list network members and their status.
OpenVPN
Introduction
Good tutorials can be found here:
- http://www.nemako.net/dc2/?post/openvpn
- http://openvpn.net/index.php/open-source/documentation/howto.html
we will use tcp port 9443 for openvpn VPNSSL configuration. So your firewall should allow this port out.
OpenVPN Certificates
On OpenVPN server, see /usr/share/doc/openvpn/examples/easy-rsa/2.0/keys/
OpenVPN Client configs
client dev tun proto tcp remote lab.tstf.net 1337 resolv-retry infinite nobind persist-key persist-tun comp-lzo ns-cert-type server user nobody group nogroup ca ca.crt cert client.crt key client.key
OpenVPN Server configs
See http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html
- Configure your server keys thanks to /usr/share/doc/openvpn/examples/easy-rsa/2.0/README.gz
- edit vars
- ./build-dh
- ./pkitool --initca
- Create server keys: ./pkitool --server myserver
- Copy them to /etc/openvpn:
- cp keys/ca.* /etc/openvpn/
- cp keys/server1.* /etc/openvpn/
- cp keys/dh1024.pem /etc/openvpn/
- Copy sample configuration to /etc/openvpn: zcat /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz > /etc/openvpn/server.conf
- edit /etc/openvpn/server.conf
Example Configuration
local [EXTERNALIP] port 8443 proto tcp dev tap0
- we'll add section how to manage certs later
ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem
- this will allow for people to get the same IP address after a reconnect
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120 comp-lzo max-clients 10 user nobody group nobody persist-key persist-tun status /tmp/openvpn-status.log log-append /var/log/openvpn.log verb 6
Networking
/etc/init.d/net-addroute
#!/bin/sh ### BEGIN INIT INFO # Provides: net-addroute # Required-Start: $all # Required-Stop: # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Adds 7Bone default routes at boot time # Description: Enable service provided by daemon. ### END INIT INFO #route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51 case "$1" in start) route add -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51 ;; stop) route del -net 10.42.0.0 netmask 255.255.0.0 gw 10.0.0.51 ;; force-reload|restart) echo "No reload possibility for this script" ;; *) echo "Usage: /etc/init.d/net-addroute {start|stop|restart|force-reload}" exit 1 ;; esac exit 0
Cisco ITP
- cs7 variant itu
- cs7 point-code 1.2.3
- Maybe: cs7 capability-pc 1.2.3
Diagnostics
SIGTRAN sniffing
- wireshark
- Remove the HEARTBEAT and HEARTBEAT_ACKs with display filter:
sctp.chunk_type != 4 and sctp.chunk_type != 5
- Check inits
sctp.chunk_type == 1
Testing
Security
- http://www.irmplc.com/downloads
- Media:MPLS_Security_Overview.pdf
- http://www.irmplc.com/researchlab/whitepapers