Copyright © 2007 FhG FOKUS
Copyright © 2012 Smile Communications
Copyright © 2015 ng-voice GmbH
Table of Contents
ipsec_listen_addr
(string)
ipsec_listen_addr6
(string)
ipsec_client_port
(int)
ipsec_server_port
(int)
ipsec_max_connections
(int)
ipsec_reuse_server_port
(int)
ipsec_spi_id_start
(int)
ipsec_spi_id_range
(int)
ipsec_preferred_alg
(string)
ipsec_preferred_ealg
(string)
List of Examples
ipsec_listen_addr
parameter usageipsec_listen_addr6
parameter usageipsec_client_port
parameter usageipsec_server_port
parameter usageipsec_max_connections
parameter usageipsec_reuse_server_port
parameter usageipsec_spi_id_start
parameter usageipsec_spi_id_range
parameter usageipsec_preferred_alg
parameter usageipsec_preferred_ealg
parameter usageTable of Contents
ipsec_listen_addr
(string)
ipsec_listen_addr6
(string)
ipsec_client_port
(int)
ipsec_server_port
(int)
ipsec_max_connections
(int)
ipsec_reuse_server_port
(int)
ipsec_spi_id_start
(int)
ipsec_spi_id_range
(int)
ipsec_preferred_alg
(string)
ipsec_preferred_ealg
(string)
This module contains methods for IPSec initialisation/deinitialisation related for usage of Kamailio as a Proxy-CSCF.
IP address which the Proxy-CSCF will use for incoming/outgoing SIP traffic over IPSec.
Default value is empty string (null) - IPv4 listen interface will not be added
Example 1.1. ipsec_listen_addr
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_listen_addr", "") ...
IPv6 address which the Proxy-CSCF will use for incoming/outgoing SIP traffic over IPSec.
Default value is empty string (null) - IPv6 listen interface will not be added
Example 1.2. ipsec_listen_addr6
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_listen_addr6", "") ...
Port number which will be bound for incoming (server) IPSec traffic.
Default value is 5062.
Example 1.3. ipsec_client_port
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_client_port", 5062) ...
Port number which will be bound for incoming (server) IPSec traffic.
Default value is 5063.
Example 1.4. ipsec_server_port
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_server_port", 5063) ...
Maximum simultaneous IPSec connections
Default value is 2.
Example 1.5. ipsec_max_connections
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_max_connections", 10) ...
Reuse (1) or not (0) the P-CSCF IPSec information for Re-registration for one UA. When set to 0 - During Re-registration P-CSCF will create new IPSec tunnels. When set to 1 - During Re-registration P-CSCF will reuse the old IPSec tunnels.
Default value is 1.
Example 1.6. ipsec_reuse_server_port
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_reuse_server_port", 1) ...
Each IPSec tunnel has a unique system-wide identifier. This and the following option allows to tune the SPIs used by Kamailio in order to avoid collisions with other IPSec useres. If Kamailio is the only process on the system which uses IPSec, don't bother with this option.
Default value is 100.
Example 1.7. ipsec_spi_id_start
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_spi_id_start", 100) ...
How many SPIs to be allocated for the process. E.g. if ipsec_spi_id_start = 100 and ipsec_spi_id_range = 1000, SPIs between 100 and 1100 will be used.
Default value is 1000.
Example 1.8. ipsec_spi_id_range
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_spi_id_range", 1000) ...
A name of an authentication algorithm which the Proxy-CSCF will prefer when creating IPSec tunnels.
Default value is empty string (null) - the last algorithm in the Sec-Agree header will be used.
Example 1.9. ipsec_preferred_alg
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_preferred_alg", "hmac-sha-1-96") ...
A name of an encrytion algorithm which the Proxy-CSCF will prefer when creating IPSec tunnels.
Default value is empty string (null) - the last algorithm in the Sec-Agree header will be used. Note that the possibility of it being the "null" algorithm is not insignificant.
Example 1.10. ipsec_preferred_ealg
parameter usage
... modparam("ims_ipsec_pcscf", "ipsec_preferred_ealg", "aes-cbc") ...
This function creates IPSec SA and Policy based on the parameters sent in Security-Client header in the REGISTER message. It's called when OK is received. The function also adds Security-Server header to the REGISTER.
Meaning of the parameters is as follows:
domain - Logical domain within the registrar. If a database is used then this must be name of the table which stores the contacts.
flags - bitwise flag: 0x01 - if set - delete unused tunnels before every registration. This is an optional parameter, default value - 0.
The function processes redirects outgoing message via the IPSec tunnel initiated with ipsec_create().
Meaning of the parameters is as follows:
domain - Logical domain within the registrar. If a database is used then this must be name of the table which stores the contacts.
flags - bitwise flag:
0x01 (1) - set force socket for request messages. Useful for ipsec and TCP/TLS.
0x02 (2) - reverse search for a contact in the memory. Useful when contact alias is disabled.
0x04 (4) - use destination URI for IPSec tunnel search. Useful for routing requests within dialog.
0x08 (8) - use new R-URI for IPSec tunnel search.
0x10 (16) - do not look for alias parameter to set received details.
0x20 (32) - do not reset the destination URI.
0x40 (64) - use user equipment client port as target for TCP/TLS requests (try to reuse the UE client connection).
0x80 (128) - set transport parameter in the new dst uri for TCP/TLS requests.
0x100 (256) - use Via attributes (port and protocol) for routing UDP reply, and protocol from next hop address for request (otherwise it taken from saved contact).
0x200 (512) - try TCP if corresponding UDP socket is not found.
This is an optional parameter, default value - 0.
The function destroys IPSec tunnel, created with ipsec_create.
Meaning of the parameters is as follows:
domain - Logical domain within the registrar. If a database is used then this must be name of the table which stores the contacts.
aor - SIP URI to match the record. If not provided, then R-URI is used.
The function destroys IPSec tunnel, created with ipsec_create.
Meaning of the parameters is as follows:
domain - Logical domain within the registrar. If a database is used then this must be name of the table which stores the contacts.
aor - SIP URI to match the record.
recv_host - received host to match the record.
recv_port - received port to match the record.
The last three parameters have to be string values and can contain variables.
Example 1.14. ipsec_destroy_by_contact()
... ipsec_destroy_by_contact("location", "...", "...", "..."); ...