UPnP/DLNA over IPsec

Discussion:

Niccolò Belli

2013-03-22 18:27:18 UTC

Hi,
Sorry for the dumb question but I really don't how UPnP works: is there
any way to tunnel UPnP/DLNA over IPsec without L2TP?

Cheers,
Niccolò

Martin Willi

2013-03-25 09:04:43 UTC

Permalink

Hi Niccolò,

is there any way to tunnel UPnP/DLNA over IPsec without L2TP?

Yes. The difficult part is UPnP discovery, which uses the Simple Service
Discovery Protocol. SSDP uses IP multicast messages to 239.255.255.250.

So what you basically have to do is include 239.255.255.250 as
destination address in your IPsec policies, and then make sure that
these multicasts get properly forwarded on the involved IPsec hosts.

If you handle multiple connections, depending on your setup, this might
result in identical policies (e.g. 0.0.0.0/0 <-> 239.255.255.250/32).
Linux does not like these, so you'd have to use different Netfilter
marks to separate them.

Best regards
Martin

Niccolò Belli

2013-03-25 10:10:07 UTC

Permalink

Hi,
Thanks for your answer. Unfortunately I can't make it work, here is my
ipsec.conf entry:

conn server-android
keyexchange=ikev2
authby=rsasig
left=<server_public_ip>
leftsubnet=192.168.2.0/24,239.255.255.250/32
leftcert=
leftid=
leftrsasigkey=%cert
right=%any
rightsourceip=192.168.2.40
rightid=
rightrsasigkey=%cert
type=tunnel
auto=add

The client is an Android phone with the Strongswan app.

Firewall rules in the server:

iptables -A FORWARD -m policy --dir in --pol ipsec --mode tunnel -j ACCEPT
iptables -A FORWARD -m policy --dir out --pol ipsec --mode tunnel -j ACCEPT
iptables -A FORWARD -i eth2 -o nas0 -j ACCEPT
iptables -A FORWARD -o eth2 -i nas0 -j ACCEPT

Routes:

ip route add 192.168.2.40/32 via <P-t-P> dev nas0 proto static src
<server_public_ip> table 220
ip route add 239.255.255.250/32 via <P-t-P> dev nas0 proto static src
<server_public_ip> table 220

SSDP doesn't still work, what's the problem?

Thanks,
Niccolò

--
http://www.linuxsystems.it

Martin Willi

2013-03-25 10:26:50 UTC

Permalink

Post by NiccolÃ² Belli
The client is an Android phone with the Strongswan app.

I've never tried that on an Android kernel. Do the multicast packets get
forwarded? Do you see them arriving at the server?

Post by NiccolÃ² Belli
leftsubnet=192.168.2.0/24,239.255.255.250/32

Is the target for these SSDP packets the local host? If not, does your
server provide some kind of multicast forwarding/routing?

Regards
Martin

Niccolò Belli

2013-03-25 11:25:16 UTC

Permalink

Post by Martin Willi
Is the target for these SSDP packets the local host?

No, it isn't (but the server is attached to the LAN with the target host).

Post by Martin Willi
If not, does your
server provide some kind of multicast forwarding/routing?

No, unfortunately I know nothing about multicast :( but I will try to
learn something.

If I ping 224.0.0.1 from my LAN I get no answer (even if UPnP/DLNA
works), is it an expected behaviour? Why?

Thanks,
Niccolò

--
http://www.linuxsystems.it

Niccolò Belli

2013-03-25 11:53:18 UTC

Permalink

Post by NiccolÃ² Belli
If I ping 224.0.0.1 from my LAN I get no answer (even if UPnP/DLNA
works), is it an expected behaviour? Why?

Found it: echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Do you know how to enable icmp multicast replies on windows?

Niccolò

--
http://www.linuxsystems.it

Niccolò Belli

2013-03-25 13:51:55 UTC

Permalink

Can you suggest me a multicast router (and maybe a multicast routing howto)?

I found an howto
(http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/)
but it uses fixed IPs while I don't know which IPs will use UPnP.

Thanks,
Niccolò

--
http://www.linuxsystems.it