User Tools

Site Tools


iprohc-run

======== How to run the IP/ROHC tunnel ======== This page is about the configuration of the [[iprohc-overview|IP/ROHC tunnel]]. Follow the [[iprohc-install|installation instructions]] first if the IP/ROHC application is not already installed on your system. ===== Prerequisites ===== You need at least 2 UNIX-like systems: * the first one will be the server, * the second one will be the client. You may add more clients later. Check that both systems satisfy to all the following prerequisites: * You need write permissions to the directory ''/var/run'' on your system. * You need sufficient permissions to open a [[wp>TUN/TAP| TUN interface]]. ===== Install software ===== Follow the [[iprohc-install|installation instructions of IP/ROHC]] on both the client and server systems. ===== Create certificates ===== For testing purposes, we will create a local private [[wp>Certification Authority|Certification Authority (CA)]], then we will issue 2 certificates from it. The following instructions use the ''CA.pl'' script provided by ''OpenSSL''. It may be installed at a different location on your system. <fc blue>Text in blue</fc> below is either instructions or text for you to type. <fc red>**DO NOT USE THE FOLLOWING PROCEDURE IN PRODUCTION WITHOUT KNOWING WHAT YOU DO.**</fc> ==== Create a certification Authority (CA) ==== Create a [[wp>Certification Authority]]: <ff monospace>$ /etc/ssl/misc/CA.pl -newca \\ CA certificate filename (or enter to create) \\ <fc blue><hit enter></fc> \\ Making CA certificate ... \\ Generating a 1024 bit RSA private key \\ ...++++++ \\ ............++++++ \\ writing new private key to './demoCA/private/cakey.pem' \\ Enter PEM pass phrase:<fc blue>test</fc> \\ Verifying - Enter PEM pass phrase:<fc blue>test</fc> \\ ----- \\ You are about to be asked to enter information that will be incorporated \\ into your certificate request. \\ What you are about to enter is what is called a Distinguished Name or a DN. \\ There are quite a few fields but you can leave some blank \\ For some fields there will be a default value, \\ If you enter '.', the field will be left blank. \\ ----- \\ Country Name (2 letter code) [AU]:<fc blue>FR</fc> \\ State or Province Name (full name) [Some-State]:<fc blue>Ile de France</fc> \\ Locality Name (eg, city) []:<fc blue>Paris</fc> \\ Organization Name (eg, company) [Internet Widgits Pty Ltd]:<fc blue>My Company</fc> \\ Organizational Unit Name (eg, section) []:<fc blue><leave empty></fc> \\ Common Name (e.g. server FQDN or YOUR name) []:<fc blue>MyCompany</fc> \\ Email Address []:<fc blue>mycompany@example.com</fc> \\ \\ Please enter the following 'extra' attributes \\ to be sent with your certificate request \\ A challenge password []:<fc blue><leave empty></fc> \\ An optional company name []:<fc blue><leave empty></fc> \\ Using configuration from /etc/ssl/openssl.cnf \\ Enter pass phrase for ./demoCA/private/cakey.pem:<fc blue>test</fc> \\ Check that the request matches the signature \\ Signature ok \\ Certificate Details: \\   Serial Number: \\     91:53:18:41:69:fd:ae:43 \\   Validity \\     Not Before: May 8 08:21:05 2013 GMT \\     Not After : May 7 08:21:05 2016 GMT \\   Subject: \\     countryName          = FR \\     stateOrProvinceName  = Ile de France \\     organizationName     = My Company \\     commonName           = MyCompany \\     emailAddress         = mycompany@example.com \\   X509v3 extensions: \\     X509v3 Subject Key Identifier: \\       66:F1:97:11:FC:4C:F5:7E:23:C7:DF:ED:C1:61:EA:80:B3:11:1F:18 \\     X509v3 Authority Key Identifier: \\       keyid:66:F1:97:11:FC:4C:F5:7E:23:C7:DF:ED:C1:61:EA:80:B3:11:1F:18 \\ \\     X509v3 Basic Constraints: \\       CA:TRUE \\ Certificate is to be certified until May 7 08:21:05 2016 GMT (1095 days) \\ \\ Write out database with 1 new entries \\ Data Base Updated \\ </ff> ==== Create the certificate for server ==== Create a certificate request for the server's certificate: <ff monospace>$ /etc/ssl/misc/CA.pl -newreq \\ Generating a 1024 bit RSA private key \\ .++++++ \\ .....++++++ \\ writing new private key to 'newkey.pem' \\ Enter PEM pass phrase:<fc blue>test</fc> \\ Verifying - Enter PEM pass phrase:<fc blue>test</fc> \\ ----- \\ You are about to be asked to enter information that will be incorporated \\ into your certificate request. \\ What you are about to enter is what is called a Distinguished Name or a DN. \\ There are quite a few fields but you can leave some blank \\ For some fields there will be a default value, \\ If you enter '.', the field will be left blank. \\ ----- \\ Country Name (2 letter code) [AU]:<fc blue>FR</fc> \\ State or Province Name (full name) [Some-State]:<fc blue>Ile de France</fc> \\ Locality Name (eg, city) []:<fc blue>Paris</fc> \\ Organization Name (eg, company) [Internet Widgits Pty Ltd]:<fc blue>MyCompany</fc> \\ Organizational Unit Name (eg, section) []:<fc blue><leave empty></fc> \\ Common Name (e.g. server FQDN or YOUR name) []:<fc blue>IpRohcServer</fc> \\ Email Address []:<fc blue>mycompany@example.com</fc> \\ \\ Please enter the following 'extra' attributes \\ to be sent with your certificate request \\ A challenge password []:<fc blue><leave empty></fc> \\ An optional company name []:<fc blue><leave empty></fc> \\ Request is in newreq.pem, private key is in newkey.pem \\ </ff> Create the server's certificate from the certificate request and the CA: <ff monospace>$ /etc/ssl/misc/CA.pl -sign \\ Using configuration from /etc/ssl/openssl.cnf \\ Enter pass phrase for ./demoCA/private/cakey.pem:<fc blue>test</fc> \\ Check that the request matches the signature \\ Signature ok \\ Certificate Details: \\   Serial Number: \\     91:53:18:41:69:fd:ae:44 \\   Validity \\     Not Before: May  8 09:21:11 2013 GMT \\     Not After : May  8 09:21:11 2014 GMT \\   Subject: \\     countryName          = FR \\     stateOrProvinceName  = Ile de France \\     localityName         = Paris \\     organizationName     = MyCompany \\     commonName           = IpRohcServer \\     emailAddress        = mycompany@example.com \\   X509v3 extensions: \\     X509v3 Basic Constraints: \\       CA:FALSE \\     Netscape Comment: \\       OpenSSL Generated Certificate \\     X509v3 Subject Key Identifier: \\       C8:F8:43:31:38:F5:A3:C4:FF:58:2E:84:C6:E3:E0:82:62:47:E2:5C \\     X509v3 Authority Key Identifier: \\       keyid:66:F1:97:11:FC:4C:F5:7E:23:C7:DF:ED:C1:61:EA:80:B3:11:1F:18 \\ \\ Certificate is to be certified until May  8 09:21:11 2014 GMT (365 days) \\ Sign the certificate? [y/n]:<fc blue>y</fc> \\ \\ 1 out of 1 certificate requests certified, commit? [y/n]<fc blue>y</fc> \\ Write out database with 1 new entries \\ Data Base Updated \\ Signed certificate is in newcert.pem \\ </ff> Export the certificate, the private key, and the public part of the CA in the [[wp>PKCS12|PKCS#12 format]]: <ff monospace>$ openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out newcert.p12 -export \\ Enter pass phrase for newkey.pem:<fc blue>test</fc> \\ Enter Export Password:<fc blue><leave empty></fc> \\ Verifying - Enter Export Password:<fc blue><leave empty></fc> \\ </ff> **do not specify an export password, otherwise the IP/ROHC server won't be able to load the certificate and key** Save the generated certificates, private key, and PKCS#12 files:<code shell> $ mkdir demoCA/certs/IpRohcServer $ mv new* demoCA/certs/IpRohcServer/</code> ==== Create the certificate for one client ==== <fc red>**Be sure to perform the actions below with the same CA as the server. If you don't know exactly what it means, be sure to generate the client's certificate on the same machine and in the same directory as the server.**</fc> Create a certificate request for one client's certificate: <ff monospace>$ /etc/ssl/misc/CA.pl -newreq \\ Generating a 1024 bit RSA private key \\ .++++++ \\ .....++++++ \\ writing new private key to 'newkey.pem' \\ Enter PEM pass phrase:<fc blue>test</fc> \\ Verifying - Enter PEM pass phrase:<fc blue>test</fc> \\ ----- \\ You are about to be asked to enter information that will be incorporated \\ into your certificate request. \\ What you are about to enter is what is called a Distinguished Name or a DN. \\ There are quite a few fields but you can leave some blank \\ For some fields there will be a default value, \\ If you enter '.', the field will be left blank. \\ ----- \\ Country Name (2 letter code) [AU]:<fc blue>FR</fc> \\ State or Province Name (full name) [Some-State]:<fc blue>Ile de France</fc> \\ Locality Name (eg, city) []:<fc blue>Paris</fc> \\ Organization Name (eg, company) [Internet Widgits Pty Ltd]:<fc blue>MyCompany</fc> \\ Organizational Unit Name (eg, section) []:<fc blue><leave empty></fc> \\ Common Name (e.g. server FQDN or YOUR name) []:<fc blue>IpRohcClient1</fc> \\ Email Address []:<fc blue>mycompany@example.com</fc> \\ \\ Please enter the following 'extra' attributes \\ to be sent with your certificate request \\ A challenge password []:<fc blue><leave empty></fc> \\ An optional company name []:<fc blue><leave empty></fc> \\ Request is in newreq.pem, private key is in newkey.pem \\ </ff> Create the server's certificate from the certificate request and the CA: <ff monospace>$ /etc/ssl/misc/CA.pl -sign \\ Using configuration from /etc/ssl/openssl.cnf \\ Enter pass phrase for ./demoCA/private/cakey.pem:<fc blue>test</fc> \\ Check that the request matches the signature \\ Signature ok \\ Certificate Details: \\ Serial Number: \\ 91:53:18:41:69:fd:ae:44 \\ Validity \\ Not Before: May 8 09:21:11 2013 GMT \\ Not After : May 8 09:21:11 2014 GMT \\ Subject: \\ countryName = FR \\ stateOrProvinceName = Ile de France \\ localityName = Paris \\ organizationName = MyCompany \\ commonName = IpRohcClient1 \\ emailAddress = mycompany@example.com \\ X509v3 extensions: \\ X509v3 Basic Constraints: \\ CA:FALSE \\ Netscape Comment: \\ OpenSSL Generated Certificate \\ X509v3 Subject Key Identifier: \\ C8:F8:43:31:38:F5:A3:C4:FF:58:2E:84:C6:E3:E0:82:62:47:E2:5C \\ X509v3 Authority Key Identifier: \\ keyid:66:F1:97:11:FC:4C:F5:7E:23:C7:DF:ED:C1:61:EA:80:B3:11:1F:18 \\ \\ Certificate is to be certified until May 8 09:21:11 2014 GMT (365 days) \\ Sign the certificate? [y/n]:<fc blue>y</fc> \\ \\ 1 out of 1 certificate requests certified, commit? [y/n]<fc blue>y</fc> \\ Write out database with 1 new entries \\ Data Base Updated \\ Signed certificate is in newcert.pem \\ </ff> Export the certificate, the private key, and the public part of the CA in the [[wp>PKCS12|PKCS#12 format]]: <ff monospace>$ openssl pkcs12 -in newcert.pem -inkey newkey.pem -certfile demoCA/cacert.pem -out newcert.p12 -export \\ Enter pass phrase for newkey.pem:<fc blue>test</fc> \\ Enter Export Password:<fc blue><leave empty></fc> \\ Verifying - Enter Export Password:<fc blue><leave empty></fc> \\ </ff> **do not specify an export password, otherwise the IP/ROHC server won't be able to load the certificate and key** Save the generated certificates, private key, and PKCS#12 files:<code shell> $ mkdir demoCA/certs/IpRohcClient1 $ mv new* demoCA/certs/IpRohcClient1/</code> **In order to create certificates for more clients, perform the same actions as above but replace ''IpRohcClient1'' by ''IpRohcClient<fc blue>N</fc>'' with <fc blue>N</fc> incremented by 1 each time.** ===== Server ===== ==== Configure the server ==== Copy the generated PKCS#12 file ''demoCA/certs/IpRohcServer/newcert.p12'' as ''/etc/ssl/server_voip.p12'' on the server system. Then edit the ''/etc/iprohc_server.conf'' file to fit your needs. The configuration file is in [[wp>YAML|YAML format]].<code yaml> # Config file for iprohc server general: port: 3126 # the TCP port to listen client requests on pidfile: /var/run/iprohc_server.pid # the file in which to record the PID file p12file: /etc/ssl/server_voip.p12 # the server certificate and private key (PKCS12 format) tunnel: ipaddr: 192.168.42.1 # The local IP address assigned by the server on the tunnel interface # (clients will get assigned one IP address in the associated /24 range) packing: 5 # The packing level, ie. do not put more than N packets together in a tunnel frame maxcid: 15 # The maximum allowed CID in the ROHC compressor unidirectional: 1 # The ROHC mode (1 = unidirectional, 0 = bidirecional) keepalive: 60 # The maximum time (in seconds) to receive keepalive before dying # (keepalives are sent every third of this value) # vim:ft=yaml </code> Notes: * change the value of the ''pidfile'' parameter if you don't have write permissions on the ''/var/run/'' directory. * Modify the value of the ''p12file'' parameter if you prefer using a different path for your PKCS#12 certificate file. * Modify the value of the ''ipaddr'' parameter if you want to customize the subnet used for the IP/ROHC tunnel. [[https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces|Private IPv4 subnets]] are recommanded: 192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12. ==== Run the server ==== You may either run the server with its init script or manually. Start the server with the dedicated init script (you may find it in the ''debian/init.d/'' sub-directory in the sources):<code shell> # /etc/init.d/iprohc_server start </code> Start the server manually if the configuration file is located at ''/etc/iprohc_server.conf'':<code shell> # iprohc_server </code> Start the server manually if the configuration file is **not** located at ''/etc/iprohc_server.conf'':<code shell> # iprohc_server --conf /path/to/iprohc_server.conf </code> Then, check that server correctly started by looking at system logs (the storage of system logs may depend of your system configuration):<code shell> # grep iprohc_server /var/log/messages | tail -n 20 May 8 12:16:35 XXXX iprohc_server[18973]: load server certificate from file '/etc/ssl/server_voip.p12' May 8 12:16:35 XXXX iprohc_server[18973]: generate Diffie–Hellman parameters (it takes a few seconds) May 8 12:16:45 XXXX iprohc_server[18973]: listen on TCP 0.0.0.0:3126 May 8 12:16:45 XXXX iprohc_server[18973]: create TUN interface May 8 12:16:45 XXXX iprohc_server[18973]: start TUN routing thread May 8 12:16:45 XXXX iprohc_server[18973]: create RAW socket May 8 12:16:45 XXXX iprohc_server[18973]: start RAW routing thread May 8 12:16:45 XXXX iprohc_server[18973]: server is now ready to accept requests from clients May 8 12:16:45 XXXX iprohc_server[18973]: Initializing routing thread May 8 12:16:45 XXXX iprohc_server[18973]: Initializing routing thread</code> If the messages are different, please refer to the [[#server_troubleshooting|troubleshooting paragraph]]. If everything seems correct, check that the tunnel interface is available and configured:<code shell> # ip link show tun_ipip XX: tun_ipip: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 500 link/none # ip -4 address show tun_ipip XX: tun_ipip: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500 inet 192.168.42.1/24 scope global tun_ipip</code> If the output is different, please refer to the [[#server_troubleshooting|troubleshooting paragraph]]. If everything seems correct once again, server is ready! Please go [[#client_s|configuring one or more IP/ROHC clients]]. ===== Client(s) ===== This section describes how to setup one client. Several clients may be run simultaneously on different systems against the same server. Use different PKCS#12 files for the different clients. ==== Configure one client ==== Copy the generated PKCS#12 file ''demoCA/certs/IpRohcClient1/newcert.p12'' as ''client1.p12'' on the client system. The client's PKCS#12 file must be different from the server's PKCS#12 file. ==== Run one client ==== There is no init script on client-side, so you have to start it manually on command line. Run this command as root:<code> # iprohc_client --remote X.X.X.X --port 3126 --dev iprohc --p12 /path/to/client1.p12</code> Notes: * Replace ''X.X.X.X'' by the IP address of the server. This is **not** the IP address set in the server's configuration file (that is used for the tunnel interface), but the one assigned on the underlying network interface. On a basic setup, it is the IP address assigned to the ''eth0'' interface. * The value of the ''%%--port%%'' argument shall match the value of the ''port'' parameter in server's configuration. * The value of the ''%%--dev%%'' argument may be customized to fit your need. The network interface of the IP/ROHC tunnel will be named in consequence. * Change the value of the ''%%--p12%%'' argument to match the exact location of the client's PKCS#12 file. Then, check that client correctly started by looking at client's system logs (the storage of system logs may depend of your system configuration):<code shell> # grep iprohc_client /var/log/messages | tail -n 20 May 8 12:31:14 XXXX iprohc_client[19202]: local address X.X.X.X:53137 is used to contact server May 8 12:31:14 XXXX iprohc_client[19202]: TLS handshake succeeded May 8 12:31:14 XXXX iprohc_client[19202]: client certificate accepted May 8 12:31:14 XXXX iprohc_client[19202]: send connect message to server May 8 12:31:14 XXXX iprohc_client[19202]: wait for connect answer from server May 8 12:31:14 XXXX iprohc_client[19202]: run tunnel thread for new client</code> On the server system, new traces should have been recorded in system logs (the storage of system logs may depend of your system configuration):<code shell> # grep iprohc_server /var/log/messages | tail -n 20 May 8 12:31:14 XXXX iprohc_server[19198]: new connection from Y.Y.Y.Y:53137 May 8 12:31:14 XXXX iprohc_server[19198]: TLS handshake succeeded May 8 12:31:14 XXXX iprohc_server[19198]: [Y.Y.Y.Y] Connection asked, negotating parameters May 8 12:31:14 XXXX iprohc_server[19198]: [Y.Y.Y.Y] Connection asked, negotating parameters (proto version 1, asked packing : 0) May 8 12:31:14 XXXX iprohc_server[19198]: [Y.Y.Y.Y] Connection started by client</code> If the messages are different, please refer to the [[#client_troubleshooting|troubleshooting paragraph]]. If everything seems correct, check that the tunnel interface is available and configured:<code shell> # ip link show iprohc XX: iprohc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 500 link/none # ip -4 address show iprohc_client XX: iprohc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 500 inet 192.168.42.11/24 scope global iprohc</code> If the output is different, please refer to the [[#client_troubleshooting|troubleshooting paragraph]]. If everything seems correct once again, client is ready! Please go [[#tunnel|testing the tunnel connectivity]]. ===== Testing tunnel connectivity ===== On server:<code shell> $ ping 192.168.42.11</code> On any client:<code shell> $ ping 192.168.42.1</code> You may also set the default route of all or some clients to the tunnel:<code shell> # ip route add default via 192.168.42.1</code> You may get some statistics about the ROHC compression and the packing mechanism by sending the ''SIGUSR1'' signal to the process of the IP/ROHC server:<code shell> # kill -USR1 $( cat /var/run/iprohc_server.pid )</code> The statistics are recorded in system logs (the storage of system logs may depend of your system configuration):<code shell> May 8 12:54:51 XXXX iprohc_server[19198]: ------------------------------------------------------ May 8 12:54:51 XXXX iprohc_server[19198]: Client Y.Y.Y.Y May 8 12:54:51 XXXX iprohc_server[19198]: Packing : 0 May 8 12:54:51 XXXX iprohc_server[19198]: Stats : May 8 12:54:51 XXXX iprohc_server[19198]: . Failed decompression : 0 May 8 12:54:51 XXXX iprohc_server[19198]: . Total decompression : 18 May 8 12:54:51 XXXX iprohc_server[19198]: . Failed compression : 0 May 8 12:54:51 XXXX iprohc_server[19198]: . Total compression : 18 May 8 12:54:51 XXXX iprohc_server[19198]: . Failed depacketization : 0 May 8 12:54:51 XXXX iprohc_server[19198]: . Total received packets on raw : 16 May 8 12:54:51 XXXX iprohc_server[19198]: . Total compressed header size : 90 bytes May 8 12:54:51 XXXX iprohc_server[19198]: . Total compressed packet size : 1242 bytes May 8 12:54:51 XXXX iprohc_server[19198]: . Total header size before comp : 360 bytes May 8 12:54:51 XXXX iprohc_server[19198]: . Total packet size before comp : 1512 bytes May 8 12:54:51 XXXX iprohc_server[19198]: Stats packing : May 8 12:54:51 XXXX iprohc_server[19198]: . 0 : 0 May 8 12:54:51 XXXX iprohc_server[19198]: . 1 : 14 May 8 12:54:51 XXXX iprohc_server[19198]: . 2 : 2 May 8 12:54:51 XXXX iprohc_server[19198]: . 3 : 0 May 8 12:54:51 XXXX iprohc_server[19198]: . 4 : 0 May 8 12:54:51 XXXX iprohc_server[19198]: . 5 : 0 May 8 12:54:51 XXXX iprohc_server[19198]: ------------------------------------------------------</code> In the above example: * The tunnel transported 1512 bytes of ICMP packets (pings). Among all those bytes, 360 bytes were for IPv4 headers. The ROHC protocol compressed those 360 bytes to 90 bytes, saving 270 bytes (75% of headers). With payload included, the ROHC protocol compressed the 1512 bytes to 1512 - 360 + 90 = 1242 bytes, still saving 270 bytes (17% of whole packets). * The packing mechanism was not very efficient because the rate of ICMP packets was too slow: 14 packets were transmitted without packing, 2 frames were transmitted with 2 packets glued together. A network stream with a higher rate would make better use of the packing mechanism (5 packets per frame). ===== Troubleshooting ===== ==== Server troubleshooting ==== **Q:** You see the following message in logs <code>failed to open pidfile '/var/run/iprohc_server.pid': Permission denied (13)</code> **A:** You don't have the write permission on the ''/var/run/'' directory. Either run the IP/ROHC server with a user with enough permissions, either change the location of the PID file in the configuration file (see the configuration paragraph above). **Q:** You see the following message in logs <code>failed to open PKCS#12 file '/etc/ssl/server_voip.p12': No such file or directory (2)</code> **A:** The IP/ROHC server failed to find the PKCS#12 file. Either copy the PKCS#12 file at ''/etc/ssl/server_voip.p12'', either change the location of the PKCS#12 file in the configuration file (see the configuration paragraph above). **Q:** You see the following message in logs <code>failed to ioctl(TUNSETIFF) on /dev/net/tun: Operation not permitted (1)</code> **A:** You don't have the permission to create TUN interfaces. Run the IP/ROHC server as ''root'' or as any other user with the ''CAP_NET_ADMIN'' POSIX capability. ==== Client troubleshooting ==== **Q:** You see the following message in logs <code>failed to connect to server: Connection refused (111)</code> **A:** Check the network connectivity between client and server: try ''ping X.X.X.X'' on client, check any firewall rules (TCP/3126 shall be allowed)...

iprohc-run.txt · Last modified: 2015/10/29 18:06 by didier