NR Software N3IWF
version 2025-12-12*
This document is based on the latest test release.
Features may not be present in your current installed software. You may check their availability in change history or in your release documentation.
If you require an up to date release, ask for it in a ticket.

1 Introduction
2 Installation
3 Command line monitor reference
4 Configuration reference
- 4.1 Configuration file syntax
  - 4.1.1 JSON merge rules
- 4.2 Properties
5 Remote API
6 Log file format
7 Change history
8 License

1 Introduction

LTEN3IWF is a N3IWF (Non-3GPP Interworking element) implementation.

LTEN3IWF interfaces with a 5GS Core Network thru the standard NG interface whilst supporting IPsec connectivity towards the UE.

2 Installation

2.1 Linux setup

2.1.1 Packages

LTEN3IWF uses the SCTP protocol for which the necessary packages are not usually installed. In order to install them, do as root user:

Fedora

dnf install lksctp-tools kernel-modules-extra

Ubuntu
```
sudo apt-get install lksctp-tools linux-image-extra-3.13.0-24-generic
```
Note that linux-image-extra package name may differ depending on your kernel version.

To verify that SCTP kernel module is running, do as root user:

checksctp

If it reports that the protocol is not supported,

check if you have a /etc/modprobe.d/sctp-blacklist.conf file
edit it to comment the ’blacklist sctp’ line

Then reboot the PC in case the Linux kernel was upgraded too.

2.1.2 OpenSSL

LTEN3IWF has been compiled against openssl version 3.5.4.
If your system does not have compatible version installed you may have this error message at startup:

error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory

To overcome this problem, you may:

Copy libssl.so.3 and libcrypto.so.3 from libs subdirectory of your release tarball.
If you have installed software with automatic install script, this should have been done automatically.
Compile and install proper openssl version yourself

In case of persisting issue, raise a ticket from our support site at https://support.amarisoft.com/ with the information provided by below commands executed in LTEN3IWF directory:

uname -a
ls -l
ldd ./lten3iwf
openssl version

2.1.3 License key installation

LTEN3IWF needs a license key file to run. It is associated to your PC, so if you replace it or change its hardware configuration you must contact Amarisoft to get a new license key.

The following steps are needed to get this license file:

Run LTEN3IWF:
```
./lten3iwf config/n3iwf.cfg
```
It says that the license key is not present and prints a 16 digit hexadecimal code.
Send by mail to delivery@amarisoft.com this hexadecimal code to your contact at Amarisoft. You will get back the lten3iwf.key license key file.
Copy the lten3iwf.key file to the ${HOME}/.amarisoft/ directory (${HOME} is the home directory of the root user). You can use the shell variable AMARISOFT_PATH to change this path.

Once the license key is installed, lten3iwf should start normally.

2.2 LTEN3IWF installation

Decompress the LTEN3IWF archive to a convenient place. The executable lten3iwf can be launched from this directory.

2.2.1 Basic LTEN3IWF configuration

The main configuration file is config/n3iwf.cfg. It uses a superset of the JSON syntax.

2.3 Initial testing

Customize and start the lte_init.sh script as root user to configure the network and CPU governors.

Start the LTEMME software as root user. root priviledges are needed to set up the virtual network interface.

./ltemme config/mme.cfg

In another terminal, start the LTEN3IWF software as root user. root priviledges are needed to use real time scheduling priority.

./lten3iwf config/n3iwf.cfg

The N3IWF is now running. Type ng in the command line monitor of LTEN3IWF to verify that it is connected to LTEMME.

3 Command line monitor reference

The following commands are available:

help

Display the help. Use help command to have a more detailed help about a command.

ue

List connected UEs.

ng

Dump the NG connection state. It is useful to see if the N3IWF is connected to the AMF.

ngconnect [amf_addr]

Force a NG (re)connection to the AMF. The AMF IP address and optional port can be given as an optional parameter.

ngdisconnect

Force a NG disconnect from the AMF.

ngadd

Adds a new AMF to the list of NGAP connections.
Message definition
The message must contain the same parameters as one of the object defined in amf_list array. See amf_list.

ngdelete

Removes a AMF address from the list of NGAP connections.
Message definition

addrngdelete addr: String. AMF address to be removed from the list.

4 Configuration reference

4.1 Configuration file syntax

The main configuration file uses a syntax very similar to the Javascript Object Notation (JSON) with few extensions.

Supported types:
- - Numbers (64 bit floating point). Notation: 13.4
- - Complex numbers. Notation: 1.2+3*I
- - Strings. Notation: "string"
- - Booleans. Notation: true or false.
- - Objects. Notation: { field1: value1, field2: value2, .... }
- - Arrays. Notation: [ value1, value2, .... ]
The basic operations +, -, * and / are supported with numbers and complex numbers. + also concatenates strings. The operators !, ||, &&, ==, !=, <, <=, >=, > are supported too.
The numbers 0 and 1 are accepted as synonyms for the boolean values false and true.
{} at top level are optional.
" for property names are optional, unless the name starts with a number.
Properties can be duplicated.
If properties are duplicated, they will be merged following JSON merge rules with overriding occuring in reading direction (last overrides previous).
Ex:
```
{
    value: "foo",
    value: "bar",
    sub: {
        value: "foo"
    },
    sub: {
        value: "bar"
    }
}
```
Will be equivalent to:
```
{
    value: "bar",
    sub: {
        value: "bar"
    }
}
```
Files can be included using include keyword (must not be quoted) followed by a string (without :) representing the file to include (path is relative to current file) and terminating by a comma.
Arrays can’t be included.
Merge will be done as for duplicate properties.
If file1.cfg is:
```
    value: "foo",
    include "file2.cfg",
    foo: "foo"
```
And file2.cfg is:
```
    value: "bar",
    foo: "bar"
```
Final config will be:
```
{
    value: "bar",
    foo: "foo"
}
```
A C like preprocessor is supported. The following preprocessor commands are available:

#define var expr

Define a new variable with value expr. expr must be a valid JSON expression. Note that unlike the standard C preprocessor, expr is evaluated by the preprocessor.

#undef var

Undefine the variable var.

#include expr

Include the file whose filename is the evaluation of the string expression expr.

#if expr

Consider the following text if expr is true.

#else

Alternative of #if block.

#elif

Composition of #else and #if.

#endif

End of #if block.

#ifdef var

Shortcut for #if defined(var)

#ifndef var

Shortcut for #if !defined(var)

In the JSON source, every occurrence of a defined preprocessor variable is replaced by its value.
Backquote strings: JSON expression can be inserted in backquote delimited strings with the ${expr} syntax. Example: `abc${1+2}d` is evaluated as the string "abc3d". Preprocessor variables can be used inside the expression. Backquote strings may span several lines.

4.1.1 JSON merge rules

Merge overriding direction depends on context, i.e source may override destination or the opposite.
JSON merge is recursive for Objects and Arrays.

Example, merging

{
    foo: { value: "bar" },
    same: "one",
    one: 1
}

with

{
    foo: { value: "none", second: true },
    same: "two",
    two: 1
}

Will become:

{
    foo: { value: "bar", second: true },
    same: "one",
    one: 1
    two: 1
}

assuming first object overrides second one.

In case of Array merging, the final array length will be the maximum length of all merged arrays.
For each element of the final array, merge will be done considering defined elements only.
Ex:

{
    array: [0, 1, 2, { foo: "bar" } ],
    array: [3, 4],
    array: [5, 6, 7, { bar: "foo" }, 8 ]
}

Will be merged to:

{
    array: [5, 6, 7, { foo: "bar", bar: "foo" }, 8 ],
}

4.2 Properties

log_filenamelog_filename

String. Set the log filename. If no leading /, it is relative to the configuration file path. See Log file format.

log_optionslog_options

String. Set the logging options as a comma separated list of assignments.

layer.level=verbosity. For each layer, the log verbosity can be set to none, error, info or debug. In debug level, the content of the transmitted data is logged.
layer.max_size=n. When dumping data content, at most n bytes are shown in hexa. For ASN.1, NAS or Diameter content, show the full content of the message if n > 0.
layer.payload=[0|1]. Dump ASN.1, NAS, SGsAP or Diameter payload in hexadecimal.
layer.key=[0|1]. Dump security keys (NAS and RRC layers).
layer.crypto=[0|1]. Dump plain and ciphered data (NAS and PCDP layers).
layer.verbose=[0|1]. If layer is ipsec, dump all packets filtering informations.
time=[sec|short|full]. Display the time as seconds, time only or full date and time (default = time only).
time.us=[0|1]. Dump time with microseconds precision.
file=cut. Close current file log and open a new one.
file.rotate=now. Move and rename to the same directory or to the directory pointed by file.path and open a new log file (Headers are kept).
file.rotate=size. Every time log file size reaches size bytes, move and rename to the same directory or to the directory pointed by file.path, and open a new log file (Headers are kept).
Size is an integer and can be followed by K, M or G.
file.rotate=#count. Everytime number of logs in log file reaches count, move and rename to the same directory or to the directory pointed by file.path, and open a new log file (Headers are kept).
Size is an integer and can be followed by K, M or G.
file.path=path. When log rotation is enabled (file.rotate set), rename and move current log to this path instead of initial log path.
append=[0|1]. (default=0). If 0, truncate the log file when opening it. Otherwise, append to it.

Available layers are: nas, ip, gtpu, ngap, n3iwf, ikev2, ipsec

log_synclog_sync

Optional boolean (default = false). If true, logs will be synchronously dumped to file.
Warning, this may lead to performances decrease.

com_addrcom_addr

Optional string. Address of the WebSocket server remote API. See Remote API.
If set, the WebSocket server for remote API will be enabled and bound to this address.
Default port is 9011.
Setting IP address to [::] will make remote API reachable through all network interfaces.

com_namecom_name

Optional string. Sets server name. N3IWF by default

com_ssl_certificatecom_ssl_certificate

Optional string. If set, forces SSL for WebSockets. Defines CA certificate filename.

com_ssl_keycom_ssl_key

Optional string. Mandatory if com_ssl_certificate is set. Defines CA private key filename.

com_ssl_peer_verifycom_ssl_peer_verify

Optional boolean (default is false). If true, server will check client certificate.

com_ssl_cacom_ssl_ca

Optional string. Set CA certificate. In case of peer verification with self signed certificate, you should use the client certificate.

com_log_lockcom_log_lock

Optional boolean (default is false). If true, logs configuration can’t be changed via config_set remote API.

com_log_uscom_log_us

Optional boolean (default is false). If true, logs sent by log_get remote API response will have a timestamp_us parameters instead of timestamp

com_authcom_auth

Optional object. If set, remote API access will require authentication.
Authentication mechanism is describe in Remote API Startup section.

passfilecom_auth.passfile: Optional string. Defines filename where password is stored (plaintext).
If not set, password must be set
passwordcom_auth.password: Optional string. Defines password.
If not set, passfile must be set.
unsecurecom_auth.unsecure: Optional boolean (default false). If set, allow password to be sent plaintext.
NB: you should set it to true if you access it from a Web Browser (Ex: Amarisoft GUI) without SSL (https) as your Web Browser may prevent secure access to work.

com_log_countcom_log_count

Optional number (Default = 8192). Defines number of logs to keep in memory before dropping them.
Must be between 4096 and 2097152).

sim_eventssim_events

Array of object. Each element defines a remote API request (Remote API) except that message field is replaced by event.

sim_events_loop_countsim_events_loop_count

If set, will define loop_count for each event of sim_events, See loop_count.

sim_events_loop_delaysim_events_loop_delay

If set, will define loop_delay for each event of sim_events, See loop_delay.

gtp_addrgtp_addr

String. Set the IP address (and optional port) on which the GTP-U packets are received. The default port is 2152. It is normally the IP address of the network interface connected to the core network.

gtp_payload_mtugtp_payload_mtu

Optional integer (range 68 to 16384, default = 1500). MTU in bytes for the GTP-U payload. Do not forget to update the network interface MTU accordingly for optimal performance. For example with a GTP MTU of 1500 bytes, interface should have a MTU of at least 1564 bytes.

gtp_use_packet_bundlinggtp_use_packet_bundling

Optional boolean (default = false). Concatenate multiple GTP-U PDUs within a single UDP datagram. Be careful, this is a non-standard option that must not be activated if the peer is not an Amarisoft AMF with this option activated.

amf_listamf_list

Array of objects. List of AMF to which the N3IWF is connected. Each object contains the following properties:

amf_addramf_list.amf_addr

String. Set the IP address (and optional port) of NGAP SCTP connection to the AMF. The default port is 38412.

gtp_ext_addramf_list.gtp_ext_addr

Optional string. Set the IP address on which the Core Network should transmit the GTP-U packets. It is the same as gtp_addr by default. It can be different if the N3IWF is behind a NAT.

ngap_bind_addramf_list.ngap_bind_addr

Optional string. IP address and optional port on which the NGAP SCTP connection is bound.

5qi_dscp_mappingamf_list.5qi_dscp_mapping

Optional array of objects. Allows to define a specific IP differentiated services code point for a given 5QI. 5QI not explicitly configured use the default DSCP value 0.
Each object must contain the following properties:

5qiamf_list.5qi_dscp_mapping.5qi: Integer (range 1 to 254). 5QI value.
dscpamf_list.5qi_dscp_mapping.dscp: Integer (range 0 to 63). DSCP value.

backup_amf_addramf_list.backup_amf_addr

Optional string. Defines the IP address (and optional port) of the backup AMF to be used if the NG connection is not established with the current AMF. If the NG connection is established, the backup AMF will not be used. There must be a corresponding object for the backup AMF in the amf_list array.

priorityamf_list.priority

Optional integer (range 0 to 1, default 0). Defines the priority of a given AMF. When performing AMF selection, if no candidate is found with priority n, the candidates with priority n+1 are tested.

n3iwf_idn3iwf_id

Integer in range 0-0xFFFF. The N3IWF global identifier.

n3iwf_namen3iwf_name

Optional string. Set N3IWF name used in NG connection setup request.

plmn_listplmn_list

List of objects. List of PLMNs and NPNs supported. The total number of PLMNs (identified by a PLMN identity in plmn) and SNPNs (identified by a PLMN identity and a NID in snpn) shall not exceed 12. Each object contains the following properties:

plmnplmn_list.plmn

String or array of strings. PLMN (5 or 6 digits). The array can contain up to 12 PLMNs.

snpnplmn_list.snpn

Optional array of 1 to 12 objects. List of Stand-Alone Non-Public Network.
Each element contains the following parameters:

plmnplmn_list.snpn.plmn

PLMN string (5 or 6 digits).

nid_listplmn_list.snpn.nid_list

Array of NID as defined in 23.003 12.7 Stand-Alone Non-Public Network Identifier an contains the following parameters. Each element contains the following parameters:

nid_valueplmn_list.snpn.nid_list.nid_value: String (10 hexadecimal digits). NID value.
assignment_modeplmn_list.snpn.nid_list.assignment_mode: Optional enumeration ("self", "coordinated_1", "coordinated_2"). Default value is "self". Each combination of a PLMN and NID identifies a Stand-Alone Non-Public Network.

tacplmn_list.tac

Integer (range 1 to 0xFFFFFF, except 0xFFFFFE). Tracking Area Code of the cell.

nssaiplmn_list.nssai

Optional array. List of supported S-NSSAIs.
Default content is sst: 1 (eMBB).
Each entry will set a S-NSSAI value as defined below:

sstplmn_list.nssai.sst: Integer (range 0-255). Slice Service Type.
sdplmn_list.nssai.sd: Optional integer (range 0-0xFFFFFE). Slice Differentiator.

remote_ip_configremote_ip_config

Object describing the IP allocation of the UE inner address as defined in 3GPP TS 23.502. Contains the following properties:

first_ip_addrremote_ip_config.first_ip_addr: String. First available IPv4 address.
last_ip_addrremote_ip_config.last_ip_addr: String. Last available IPv4 address.
ipv4_auto_incrementremote_ip_config.ipv4_auto_increment: Optional boolean (default = false). If set to false, the same IPv4 address is allocated for successive UE connection/disconnection. If set to true, the IPv4 address is incremented for UE connection/disconnection.
ip_addr_shiftremote_ip_config.ip_addr_shift: Optional integer (default = 0). The allocated IPv4 addresses are allocated starting from first_ip_addr with a difference of 2^ip_addr_shift. Hence last_ip_addr - first_ip_addr must be a multiple of 2^ip_addr_shift. This option can be useful in case of inter-UE communication to ensure that the IPv4 address of a given UE is the only one in its netmask.

local_ip_configlocal_ip_config

Object describing the IP allocation of the UP_IP_ADDRESS associated with a child Sa as defined in 3GPP TS 23.502. Contains the following properties:

first_ip_addrlocal_ip_config.first_ip_addr: String. First available IPv4 address.
last_ip_addrlocal_ip_config.last_ip_addr: String. Last available IPv4 address.
ipv4_auto_incrementlocal_ip_config.ipv4_auto_increment: Optional boolean (default = false). If set to false, the same IPv4 address is allocated for successive UE connection/disconnection. If set to true, the IPv4 address is incremented for UE connection/disconnection.
ip_addr_shiftlocal_ip_config.ip_addr_shift: Optional integer (default = 0). The allocated IPv4 addresses are allocated starting from first_ip_addr with a difference of 2^ip_addr_shift. Hence last_ip_addr - first_ip_addr must be a multiple of 2^ip_addr_shift. This option can be useful in case of inter-UE communication to ensure that the IPv4 address of a given UE is the only one in its netmask.
nas_ip_addrlocal_ip_config.nas_ip_addr: Optional string. Address of the local TCP server for NAS signalling. If not present, the first IP of the subnet (See local_ip_config) will be used.

nwunwu

Configuration of the NWu connection. This object contains the following properties:

bind_addrnwu.bind_addr

IP address on which the NWu connection is bound.

private_keynwu.private_key

String. Defines the N3IWF private key filename.

certificatenwu.certificate

String. Defines the N3IWF certificate filename. The default files n3iwf_private_key.pem and n3iwf_cert.pem are built for N3IWF FQDN "n3iwf.5gc.mnc001.mcc001.pub.3gppnetwork.org" following the procedure decribed below. For another N3IWF FQDN, these files shall be re-built by setting the FQDN in subjectAltName field. Procedure to generate and check the private key file n3iwf_private_key.pem and the certificate file n3iwf_cert.pem:

      openssl genrsa -out ca.key 2048
      openssl req -new -x509 -days 365 -key ca.key -out ca.crt
      openssl req -newkey rsa:2048 -nodes -keyout n3iwf_private_key.pem -out n3iwf_cert.pem
      openssl x509 -req -extfile <(printf "subjectAltName=DNS:n3iwf.5gc.mnc001.mcc001.pub.3gppnetwork.org") -days 365 -in n3iwf_cert.pem -CA ca.crt -CAkey ca.key -CAcreateserial -out n3iwf_cert.pem
      openssl x509 -in n3iwf_cert.pem -text
      openssl rsa -in n3iwf_private_key.pem -text

esp_durationnwu.esp_duration

Optional integer in range 10 to 5*3600 (default = 300). Gives the duration in seconds of the ESP-Sa.

ike_durationnwu.ike_duration

Optional integer in range 20 to 48*3600 (default = 24*3600). Gives the duration in seconds of the IKE-Sa.

omit_auth_in_first_auth_rspnwu.omit_auth_in_first_auth_rsp

Optional boolean (default = false). If set, configures the N3IWF to not send the AUTH payload in the first IKE_AUTH exchange.

ike_encryption_algo_listnwu.ike_encryption_algo_list

Optional list of IKE-Sa supported encryption algorithms "aes-cbc-128" (AES CBC 128 bits key length), "aes-cbc-192" (AES CBC 192 bits key length), "aes-cbc-256" (AES CBC 256 bits key length), "aes-gcm-128-16" (AES GCM 128 bits key length and 16 bytes ICV), "aes-gcm-256-16" (AES GCM 256 bits key length and 16 bytes ICV), "3des", "blowfish", "aes-ctr-128" (AES CTR 128 bits key length), "aes-ctr-192" (AES CTR 192 bits key length), and aes-ctr-256 (AES CTR 256 bits key length) ordered from most preferred to least preferred.
Default value is ["aes-cbc-128", "aes-cbc-192", "aes-cbc-256", "aes-gcm-128-16", "aes-gcm-256-16", "3des", "blowfish", "aes-ctr-128", "aes-ctr-192", "aes-ctr-256"].

ike_integrity_algo_listnwu.ike_integrity_algo_list

Optional list of IKE-Sa supported integrity algorithms "hmac-sha-1-96", "hmac-sha-1-160", "hmac-sha-256-128", "hmac-sha-384-192", "hmac-sha-512-256", "hmac-md5-96", "hmac-md5-128" and "aes-cmac-96" ordered from most preferred to least preferred.
Default value is ["hmac-sha-1-96", "hmac-sha-1-160", "hmac-sha-256-128", "hmac-sha-384-192", "hmac-sha-512-256", "hmac-md5-96", "hmac-md5-128", "aes-cmac-96"];

ike_prf_listnwu.ike_prf_list

Optional list of IKE-Sa supported pseudo-random functions "prf-hmac-sha1", "prf-hmac-sha2-256", "prf-hmac-sha2-384", "prf-hmac-sha2-512" and "prf-hmac-md5" ordered from most preferred to least preferred.
Default value is ["prf-hmac-sha1", "prf-hmac-sha2-256", "prf-hmac-sha2-384, "prf-hmac-sha2-512", "prf-hmac-md5"].

ike_dh_group_listnwu.ike_dh_group_list

Optional list of IKE-Sa supported Diffie-Hellman groups "group_1", "group_2", "group_5", "group_14", "group_15", "group_16", "group_17", "group_18", "group_19", "group_22", "group_23" and "group_24" ordered from most preferred to least preferred.
Default value is ["group_5", "group_14", "group_15", "group_16", "group_17", "group_18", "group_19", "group_22", "group_23", "group_24"].

esp_encryption_algo_listnwu.esp_encryption_algo_list

Optional list of ESP-Sa supported encryption algorithms "null", "aes-cbc-128" (AES CBC 128 bits key length), "aes-cbc-192" (AES CBC 192 bits key length), "aes-cbc-256" (AES CBC 256 bits key length), "3des", "blowfish", "aes-ctr-128" (AES CTR 128 bits key length), "aes-ctr-192" (AES CTR 192 bits key length), and aes-ctr-256 (AES CTR 256 bits key length) ordered from most preferred to least preferred.
Default value is ["null", "aes-cbc-128", "aes-cbc-192", "aes-cbc-256", "3des", "blowfish", "aes-ctr-128", "aes-ctr-192", "aes-ctr-256"].

esp_integrity_algo_listnwu.esp_integrity_algo_list

Optional list of ESP-Sa supported integrity algorithms "null", "hmac-sha-1-96", "hmac-sha-1-160", "hmac-sha-256-128", "hmac-sha-384-192", "hmac-sha-512-256", "hmac-md5-96", "hmac-md5-128" and "aes-cmac-96" ordered from most preferred to least preferred.
Default value is ["null", "hmac-sha-1-96", "hmac-sha-1-160", "hmac-sha-256-128", "hmac-sha-384-192", "hmac-sha-512-256", "hmac-md5-96", "hmac-md5-128", "aes-cmac-96"].

esp_dh_group_listnwu.esp_dh_group_list

Optional list of ESP-Sa supported Diffie-Hellman groups "none", "group_1", "group_2", "group_5", "group_14", "group_15", "group_16", "group_17", "group_18", "group_19", "group_22", "group_23" and "group_24" ordered from most preferred to least preferred.
This list is used for rekeying ESP-Sa. Default value is ["none", "group_5", "group_14", "group_15", "group_16", "group_17", "group_18", "group_19", "group_22", "group_23", "group_24"].

dpd_timer_valuenwu.dpd_timer_value

Optional integer in range 5 to 300 (default = 300). Gives the "dead peer detection" timer value in seconds.

mobikenwu.mobike

Optional boolean (default = true). Indicates MOBIKE support.

dont_fragmentnwu.dont_fragment

Optional boolean (default = true) used to enable/disable the fragmentation of the ESP packets.

ike_generate_errornwu.ike_generate_error

Optional object. Allows to ignore a message or generate an error during an IKE exchange.
It contains the following objects:

exchangenwu.ike_generate_error.exchange

String. Gives the exchange to ignore or on which the error must be sent. Possible values are "none", "ike_sa_init", "ike_auth_step1", "ike_auth_step2", "ike_auth_step3", "dpd", "mobike".

reject_notify_listnwu.ike_generate_error.reject_notify_list

Optional array. If absent, the message received during the exchange will be ignored.
If present, the message received during the exchange will be rejected, and each element of the array describes a Notify payload to insert in the response. Each element of the array contains:

errornwu.ike_generate_error.reject_notify_list.error: Optional integer. Gives the value of ’Notify Message Type’ to send in the Notify payload rejecting the exchange.
datanwu.ike_generate_error.reject_notify_list.data: Optional hexadecimal string. May be present if error is present.
Gives the Notification Data to send in the Notify payload.

ttlnwu.ike_generate_error.ttl

Optional integer. If set, ike_generate_error is applied ttl times. If not set, ike_generate_error is applied until it is modified.

Example:

  ike_generate_error: {
  exchange: "ike_auth_step1",
  reject_notify_list: [
   {
     error: 9002,
     data: "1234",
   },
   {
     error: 9003,
     data: "5678",
   }],
  ttl: 1
  }

5 Remote API

You can access LTEN3IWF via a remote API.
Protocol used is WebSocket as defined in RFC 6455 (https://tools.ietf.org/html/rfc6455).

Note that Origin header is mandatory for the server to accept connections.
This behavior is determined by the use of nopoll library.
Any value will be accepted.

To learn how to use it, you can refer to our the following tutorial.

5.1 Messages

Messages exchanged between client and LTEN3IWF server are in strict JSON format.

Each message is represented by an object. Multiple message can be sent to server using an array of message objects.

Time and delay values are floating number in seconds.

There are 4 types of messages:

Request
Message sent by client.
Common definition:

messagerequest.message

String. Represent type of message. This parameter is mandatory and depending on its value, other parameters will apply.

message_idrequest.message_id

Optional any type. If set, response sent by the server to this message will have same message_id. This is used to identify response as WebSocket does not provide such a concept.

start_timerequest.start_time

Optional float. Represent the delay before executing the message.
If not set, the message is executed when received.

absolute_timerequest.absolute_time

Optional boolean (default = false). If set, start_time is interpreted as absolute.
You can get current clock of system using time member of any response.

standalonerequest.standalone

Optional boolean (default = false). If set, message will survive WebSocket disconnection, else, if socket is disconnected before end of processing, the message will be cancelled.

loop_countrequest.loop_count

Optional integer (default = 0, max = 1000000). If set, message will be repeated loop_count time(s) after loop_delay (From message beginning of event).
Response will have a loop_index to indicate iteration number.

loop_delayrequest.loop_delay

Optional number (min = 0.1, max = 86400). Delay in seconds to repeat message from its start_time. Mandatory when loop_count is set > 0.
Notification
For some API, intermediate message may be sent by server before reception of response.
Common definition:

messagenotification.message

String. Same as request.

message_idnotification.message_id

Optional any type. Same as in request.

timenotification.time

Number representing time in seconds of the message start, relative to the beginning of the process.
Useful to send command with absolute time.

notificationnotification.notification

String. Notification purpose

utcnotification.utc

Number representing UTC seconds (local clock) when the response has been generated.
Response
Message sent by server after any request message has been processed.
Common definition:

messageresponse.message

String. Same as request.

message_idresponse.message_id

Optional any type. Same as in request.

timeresponse.time

Number representing time in seconds of the message start, relative to the beginning of the process.
Useful to send command with absolute time.

utcresponse.utc

Number representing UTC seconds (local clock) when the response has been generated.

absolute_timeresponse.absolute_time

Optional string. If absolute_time has been set and message is reaching LTEN3IWF too late, this field is present and set to late.
Events
Message sent by server on its own initiative.
Common definition:

messageevent.message

String. Event name.

timeevent.time

Number representing time in seconds.
Useful to send command with absolute time.

5.2 Startup

When WebSocket connections is setup, LTEN3IWF will send a first message with name set to com_name and type set to N3IWF.

If authentication is not set, message will be ready:

{
    "message": "ready",
    "type": "N3IWF",
    "name": <com_name>,
    "version": <software version>,
    "product": <Amarisoft product name (optional)>
}

If authentication is set, message will be authenticate :

{
    "message": "authenticate",
    "type": "N3IWF",
    "name": <com_name>,
    "challenge": <random challenge>
}

To authenticate, the client must answer with a authenticate message and a res parameter where:

res = HMAC-SHA256( "<type>:<password>:<name>", "<challenge>" )

res is a string and HMAC-SHA256 refers to the standard algorithm (https://en.wikipedia.org/wiki/HMAC)

If the authentication succeeds, the response will have a ready field set to true.

{
    "message": "authenticate",
    "message_id": <message id>,
    "ready": true
}

If authentication fails, the response will have an error field and will provide a new challenge.

{
    "message": "authenticate",
    "message_id": <message id>,
    "error": <error message>,
    "type": "N3IWF",
    "name: <name>,
    "challenge": <new random challenge>
}

If any other message is sent before authentication succeeds, the error "Authentication not done" will be sent as a response.

5.3 Errors

If a message produces an error, response will have an error string field representing the error.

5.4 Sample nodejs program

You will find in this documentation a sample program: ws.js.
It is located in doc subdirectory.
This is a nodejs program that allow to send message to LTEN3IWF.
It requires nodejs to be installed:

dnf install nodejs npm
npm install nodejs-websocket

Use relevant package manager instead of NPM depending on your Linux distribution.

Then simply start it with server name and message you want to send:

./ws.js 127.0.0.1:9011 '{"message": "config_get"}'

5.5 Common messages

config_get

Retrieve current config.

Response definition:

typeconfig_get.type

Always "N3IWF"

nameconfig_get.name

String representing server name.

logsconfig_get.logs

Object representing log configuration.
With following elements:

layersconfig_get.logs.layers

Object. Each member of the object represent a log layer configuration:

layer name

Object. The member name represent log layer name and parameters are:

levelconfig_get.logs.layers.root.level: See log_options
max_sizeconfig_get.logs.layers.root.max_size: See log_options
keyconfig_get.logs.layers.root.key: See log_options
cryptoconfig_get.logs.layers.root.crypto: See log_options
payloadconfig_get.logs.layers.root.payload: See log_options
verboseconfig_get.logs.layers.root.verbose: Optional boolean. See log_options

countconfig_get.logs.count

Number. Number of bufferizer logs.

rotateconfig_get.logs.rotate

Optional number. Max log file size before rotation.

rotate_countconfig_get.logs.rotate_count

Optional number. Max log count before rotation.

pathconfig_get.logs.path

Optional string. Log rotation path.

bcchconfig_get.logs.bcch

Boolean. True if BCCH dump is enabled (eNB only).

mibconfig_get.logs.mib

Boolean. True if MIB dump is enabled (eNB only).

lockedconfig_get.locked

Optional boolean. If true, logs configuration can’t be changed with config_set API.

config_set

Change current config.
Each member is optional.
Message definition:

logsconfig_set.logs

Optional object. Represent logs configuration. Same structure as config_get (See config_get logs member).
All elements are optional.
Layer name can be set to all to set same configuration for all layers.
If set and logs are locked, response will have logs property set to locked.

nwuconfig_set.nwu

Optional object allowing to configure N3IWF options. It may contain the following object:

esp_durationconfig_set.nwu.esp_duration

Optional integer in range 10 to 5*3600 (default = 300). Gives the duration in seconds of the ESP-Sa.

ike_durationconfig_set.nwu.ike_duration

Optional integer in range 20 to 48*3600 (default = 24*3600). Gives the duration in seconds of the IKE-Sa.

mobikeconfig_set.nwu.mobike

Optional boolean. Indicates MOBIKE support.

dont_fragmentconfig_set.nwu.dont_fragment

Optional boolean used to enable/disable the fragmentation of the ESP packets.

ike_generate_errorconfig_set.nwu.ike_generate_error

Optional object. Allows to ignore a message or generate an error during the initial exchanges.
It contains the following objects:

exchangeconfig_set.nwu.ike_generate_error.exchange: String. Gives the exchange to ignore or on which the error must be sent. Possible values are "none", "ike_sa_init", "ike_auth_step1", "ike_auth_step2", "ike_auth_step3".
errorconfig_set.nwu.ike_generate_error.error: Optional integer. Gives the value of ’Notify Message Type’ to send in the Notify payload rejecting the exchange.
It present, the message received during the exchange will be rejected.
If absent, the message received during the exchange will be ignored.

log_get

Get logs.
This API has a per connection behavior. This means that the response will depend on previous calls to this API within the same WebSocket connection.
In practice, logs that have been provided in a response won’t be part of subsequent request unless connection is reestablished. To keep on receiving logs, client should send a new log_get request as soon as the previous response has been received.
If a request is sent before previous request has been replied, previous request will be replied right now without considering specific min/max/timeout conditions.

Message definition:

minlog_get.min: Optional number (default = 1). Minimum amount of logs to retrieve.
Response won’t be sent until this limit is reached (Unless timeout occurs).
maxlog_get.max: Optional number (default = 4096). Maximum logs sent in a response.
timeoutlog_get.timeout: Optional number (default = 1). If at least 1 log is available and no more logs have been generated for this time, response will be sent.
allow_emptylog_get.allow_empty: Optional boolean (default = false). If set, response will be sent after timeout, event if no logs are available.
rntilog_get.rnti: Optional number. If set, send only logs matching rnti.
ue_idlog_get.ue_id: Optional number. If set, send only logs with matching ue_id.
layerslog_get.layers: Optional Object. Each member name represents a log layer and values must be string representing maximum level. See log_options.
If layers is not set, all layers level will be set to debug, else it will be set to none.
Note also the logs is also limited by general log level. See log_options.
shortlog_get.short: Optional boolean (default = false). If set, only first line of logs will be dumped.
headerslog_get.headers: Optional boolean. If set, send log file headers.
start_timestamplog_get.start_timestamp: Optional number. Is set, filter logs older than this value in milliseconds.
end_timestamplog_get.end_timestamp: Optional number. Is set, filter logs more recent than this value in milliseconds.
max_sizelog_get.max_size: Optional number (default = 1048576, i.e. 1MB). Maximum size in bytes of the generated JSON message. If the response exceeds this size, the sending of logs will be forced independently from other parameters.

Response definition:

logslog_get.logs

Array. List of logs. Each item is a an object with following members:

datalog_get.logs.data: Array. Each item is a string representing a line of log.
timestamplog_get.logs.timestamp: Number. Milliseconds since January 1st 1970. Not present if com_log_us is set in configuration.
timestamp_uslog_get.logs.timestamp_us: Number. Microseconds since January 1st 1970. Only present if com_log_us is set in configuration.
layerlog_get.logs.layer: String. Log layer.
levellog_get.logs.level: String. Log level: error, warn, info or debug.
dirlog_get.logs.dir: Optional string. Log direction: UL, DL, FROM or TO.
ue_idlog_get.logs.ue_id: Optional number. UE_ID.
celllog_get.logs.cell: Optional number (only for PHY layer logs). Cell ID.
rntilog_get.logs.rnti: Optional number (only for PHY layer logs). RNTI.
framelog_get.logs.frame: Optional number (only for PHY layer logs). Frame number (Subframe is decimal part).
channellog_get.logs.channel: Optional string (only for PHY layer logs). Channel name.
srclog_get.logs.src: String. Server name.
idxlog_get.logs.idx: Integer. Log index.
headerslog_get.logs.headers: Optional array. Array of strings.

discontinuitylog_get.discontinuity

Optional number. If set, this means some logs have been discarded due to log buffer overflow.

microsecondslog_get.microseconds

Optional boolean. Present and set to true if com_log_us is set in configuration file.

log_set

Add log.
Message definition:

loglog_set.log: Optional string. Log message to add. If set, layer and level are mandatory.
layerlog_set.layer: String. Layer name. Only mandatory if log is set.
levellog_set.level: String. Log level: error, warn, info or debug. Only mandatory if log is set.
dirlog_set.dir: Optional string. Log direction: UL, DL, FROM or TO.
ue_idlog_set.ue_id: Optional number. UE_ID.
flushlog_set.flush: Optional boolean (default = false). If set, flushes fog file.
rotatelog_set.rotate: Optional boolean (default = false). If set, forces log file rotation.
cutlog_set.cut: Optional boolean (default = false). If set, forces log file reset.

log_reset

Resets logs buffer.

license

Retrieves license file information.

Response definition:

productslicense.products: String. List of products, separated by commas.
userlicense.user: String. License username.
validitylicense.validity: String. License end of validity date.
idlicense.id: Optional string. License ID.
id_typelicense.id_type: Optional string. License ID type. Can be host_id or dongle_id
uidlicense.uid: Optional string. License unique ID.
filenamelicense.filename: Optional string. License filename.
serverlicense.server: Optional string. License server URL.
server_idlicense.server_id: Optional string. License server ID.

quit

Terminates lten3iwf.

help

Provides list of available messages in messages array of strings and events to register in events array of strings.

stats

Report statistics for LTEN3IWF.
Every time this message is received by server, statistics are reset.
Warning, calling this message from multiple connections simultaneously will modify the statistics sampling time.

Response definition:

cpustats.cpu: Object. Each member name defines a type and its value cpu load in % of one core.
instance_idstats.instance_id: Number. Constant over process lifetime. Changes on process restart.

ipsec

Report ipsec SAs.

Response definition:

SAsipsec.SAs

Array. List of object representing a security association witth following definition:

typeipsec.SAs.type: String. IP version, can be IPv4 or IPv6.
diripsec.SAs.dir: String. Direction, can be in or out.
spiipsec.SAs.spi: Number. SPI.
ue_idipsec.SAs.ue_id: Number. Associated ue_id.
modeipsec.SAs.mode: String. ESP type, can be tunnel or transport
srcipsec.SAs.src: String. Source IP address.
dstipsec.SAs.dst: String. Destination IP address.
tun_srcipsec.SAs.tun_src: Optional string. Tunnel source IP address.
tun_dstipsec.SAs.tun_dst: Optional string. Tunnel destination IP address.
src_prefixipsec.SAs.src_prefix: Number. Source network prefix.
dst_prefixipsec.SAs.dst_prefix: Number. Destination network prefix.
authent_keyipsec.SAs.authent_key: String. Authentication key in hexadecimal form (Empty string authentication is disabled).
cipher_keyipsec.SAs.cipher_key: String. Ciphering key in hexadecimal form (Empty string ciphering is disabled).

5.6 N3IWF messages

ng

Get AMF link state.
Response definition:

ng_listng.ng_list

Array of object. One for each AMF connection defined as follow:

stateng.ng_list.state: Link state: disconnected, connecting, connected, inactive or setup_done.
addressng.ng_list.address: AMF address.
nameng.ng_list.name: AMF name.
PLMNng.ng_list.PLMN: If connection complete, PLMN.

ngconnect

Forces connection to an AMF.
Message definition

addressngconnect.address: Optional string. If not set, will try to connect to all registered AMF, else will try with the specified address.

ngdisconnect

Forces disconnection from an AMF.
Message definition

addressngdisconnect.address: Optional string. If not set, will to disconnect from all registered AMF, else will try with the specified address.

ngadd

Adds a new AMF to the list of NGAP connections.
Message definition
The message must contain the same parameters as one of the object defined in amf_list array. See amf_list.

ngdelete

Removes a AMF address from the list of NGAP connections.
Message definition

addrngdelete.addr: String. AMF address to be removed from the list.

ue_ctx_rel

Forces a UE context release.
Message definition:

ran_ue_idue_ctx_rel.ran_ue_id: Integer. RAN UE id.

6 Log file format

6.1 NAS layer

When a NAS message is dumped, the format is:

time layer - message

When a NAS data PDU is dumped (debug level), the format is:

time layer dir MME_UE_ID message_type
        long_content

time: Time using the selected format
layer: Indicate the layer ([NAS] here).
dir: UL (uplink) or DL (downlink).
MME_UE_ID: MME S1AP UE identifier (hexadecimal).
message_type: NAS message type.
long_content: Full content of the NAS message if nas.max_size > 0.

6.2 IP layer

When a IP data PDU is dumped (debug level), the format is:

time layer dir short_content
        long_content

time: Time using the selected format
layer: Indicate the layer ([IP] here).
dir: UL (uplink) or DL (downlink).
short_content: Single line content (at least the IP protocol and the source and destination address).
long_content: Optional hexadecimal dump of the PDU if ip.max_size > 0.

6.3 NGAP and GTP-U layers

When a message is dumped, the format is:

time layer - message

When a data PDU is dumped (debug level), the format is:

time layer dir ip_address short_content
        long_content

time

Time using the selected format.

layer

Indicate the layer ([NGAP] or [GTPU] here).

dir

Direction: TO or FROM.

ip_address

source or destination IP address, depending on the dir field.

short_content

Single line content.

long_content

NGAP: full ASN.1 content of the message if layer.max_size > 0.
GTPU: hexadecimal dump of the message if layer.max_size > 0.

7 Change history

7.1 Version 2025-12-12

OpenSSL library is upgraded to 3.5.4
removed deprecated DES-CBC IKE and IPsec encryption algorithm

7.2 Version 2025-09-19

tac parameter range is updated to forbid reserved values specified in 3GPP 23.003
DCSP values for GTP-U tunnels are set to Expedited Forwarding for 5QI 1 and 65 in the configuration files delivered

7.3 Version 2025-06-13

error and data objects in ike_generate_error object are replaced by reject_notify_list object. The old syntax is still supported for backward compatibility

7.4 Version 2025-03-14

NGAP ASN.1 is updated to v18.4.0
added NGAP overload support

7.5 Version 2024-12-13

NGAP ASN.1 is updated to v18.3.0

7.6 Version 2024-09-13

added license remote API
mobike parameter is added in nwu object and config_set remote API
dont_fragment parameter is added to nwu configuration object and config_set remote API
encr-null-auth-aes-gmac-128, encr-null-auth-aes-gmac-192 and encr-null-auth-aes-gmac-256 values are added to esp_encryption_algo_list
com_logs_lock parameter is renamed to com_log_lock. com_logs_lock is still supported for backward compatibility
added com_log_us parameter

7.7 Version 2024-06-14

OpenSSL library is upgraded to 1.1.1w
added backup_amf_addr and priority parameters to amf_list object

7.8 Version 2024-03-15

added MOBIKE support
added more remote APIs documentation
added AMF name to ng monitor command

7.9 Version 2023-12-15

added loop_count and loop_delay to remote API messages
added sim_events, sim_events_loop_count and sim_events_loop_delay
added com_ssl_ca parameter for SSL verification

7.10 Version 2023-09-08

NGAP ASN.1 is updated to v17.5.0
gtp_use_packet_bundling parameter is added for GTP-U PDUs bundling support
ipsec remote API added

7.11 Version 2023-06-10

NGAP ASN.1 is updated to v17.4.0
com_logs_lock parameter added to disable logs configuration change via remote API

7.12 Version 2023-03-17

com_addr parameter now uses [::] address instead of 0.0.0.0 in the delivered configuration file to allow IPv6 connection

7.13 Version 2022-12-16

NGAP ASN.1 is updated to v17.2.0
added new IKE-Sa and ESP-Sa algorithms
added snpn parameter to plmn_list object for NPN support
added dpd value to exchange parameter
added utc parameter to remote API response messages

7.14 Version 2022-09-16

"ipsec debug" monitor is now deprecated. Set ipsec.verbose to 1 in log configuration
added dpd_timer_value parameter

7.15 Version 2022-06-17

OpenSSL library is upgraded to 1.1.1n
added new IKE-Sa and ESP-Sa algorithms and groups
added start_timestamp and end_timestamp to log_get API
added ike_duration parameter
esp_duration and ike_duration parameters can be changed with config_set API

7.16 Version 2022-03-18

ike_generate_error configuration object is added
added NAT traversal support

7.17 Version 2021-12-17

ike_encryption_algo_list, ike_integrity_algo_list, ike_prf_list, ike_dh_group_list, esp_encryption_algo_list, esp_integrity_algo_list and esp_dh_group_list parameters are added to make the list of N3IWF supported algorithms configurable
license monitor command is added

7.18 Version 2021-09-17

Initial release

8 License

lten3iwf is available without any express or implied warranty. In no event will Amarisoft be held liable for any damages arising from the use of this software.

For more information on licensing, please refer to license terms.

License terms

Amarisoft SAS - www.amarisoft.com
16-18 rue Rivay, 92300 LEVALLOIS PERRET, France SAS with a capital of 300,000 Euros - VAT FR21753998269 - SIREN: 753998269 (RCS Nanterre) - NAF 6201Z – DUNS 264482426

SOFTWARE LICENSE TERMS
NOTICE: THE AMARISOFT SOFTWARE PRODUCT, TOGETHER WITH ITS ACCOMPANYING DOCUMENTATION,
(THE "PRODUCT") IS THE PROPERTY OF AMARISOFT. THE PRODUCT IS MADE AVAILABLE TO YOU, THE
PURCHASER, SUBJECT TO THE FOLLOWING LICENSE AGREEMENT ("LICENSE AGREEMENT"). PLEASE READ
THIS LICENSE CAREFULLY BEFORE INSTALLING OR USING THE PRODUCT. A COPY OF THIS LICENSE IS
AVAILABLE FOR YOUR FUTURE REFERENCE IN THE "LICENSE.TXT" FILE PROVIDED WITH THE PRODUCT.
IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS OF THIS AGREEMENT AND THE TERMS AND
CONDITIONS OF ANY APPLICABLE LICENSE AGREEMENTS OR NOTICES INDICATED OR REFERENCED BELOW,
THEN YOU MAY NOT USE THE PRODUCT. ANY USE BY YOU OF THIS PRODUCT OR INSTALLATION OF THE
PRODUCT ALSO CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS.
AMARISOFT is only willing to grant you a license under this License Agreement if you obtained the Product
from AMARISOFT or an AMARISOFT authorized distributor or reseller, a list of which is available on
AMARISOFT website. If you obtained the Product from any other source you may not install or use the
Product.

1. GRANT OF LICENSE AND SCOPE OF USE
For each license that you acquire to use the Product, you will be provided with a License Certificate (a "License
Certificate"), which may be either a certificate, the installation and licensing instructions, your invoice, or an
activation file and which may be provided to you either with the Product media or separately by AMARISOFT
or its authorized distributors or resellers. The License Certificate will contain information specific to the
Product, the type of license under which you may use the Product and the number of licenses that you have
acquired. In order to activate and use the Product as set forth in this License Agreement, you must follow the
instructions when prompted by the Product.
The type of license you may acquire is a Standard License or a Floating License, all defined in Sections 1.1 and
Section 1.2 of this License Agreement. Unless your License Certificate identifies your acquisition of another
license type, you have acquired a Standard License. For more information on which license types, if any, is
included with the Product media, you should contact AMARISOFT or your AMARISOFT authorized distributor or
reseller.
Unless otherwise agreed, one (1) AMARISOFT license provides the right to use only one instance of the Product
software at a time.
Subject to the other terms and conditions of this License, you may make a reasonable number of copies of the
Product to backup devices such as hard disks, optical media, or tape and one (1) physical CD media backup
copy of the Product solely to replace the original copy provided to you if the original copy is damaged or
destroyed. All rights not specifically granted to you herein are retained by AMARISOFT.

1.1 Standard License
The terms of this Section 1.1 are applicable to you only if you have purchased a Standard License, as defined
below, for the Product directly from AMARISOFT or an AMARISOFT authorized distributor or reseller.
Subject to the terms and conditions of this License, AMARISOFT grants you, if you are an individual or if you
are an entity, a personal, non-exclusive, non-transferable and limited license to use the Product solely with
one (1) designated single hardware in your organization (a "Standard License"). This hardware is either a
Personal Computer that you hold in your organization or that AMARISOFT has supplied you. This hardware can
also be a USB device supplied by AMARISOFT.
You may purchase from AMARISOFT or an AMARISOFT authorized distributor or reseller additional licenses to
permit multiple hardware to use the Product. This right shall be agreed in writing. The Standard License shall
provide you with the right to access and use the Product, only for the number of hardware for which you have
paid the applicable license fees and obtained a License Key Certificate. The Product may be used exclusively by
the specifically designated hardware, subject to all the terms and conditions of this License Agreement. You
agree that you will not designate more hardware than the number of Standard Licenses that AMARISOFT or an
AMARISOFT authorized distributor or reseller has expressly granted you and you will not allow the Product to
be used by any hardware other than the hardware designated by you.

1.2 Floating License
The terms of this Section 1.2 are applicable to you only if you have purchased a Floating License, as defined
below, for the Product directly from AMARISOFT or an AMARISOFT authorized distributor or reseller.
Subject to the terms and conditions of this License, AMARISOFT grants you, if you are an individual or if you
are an entity, a personal, non-exclusive, non-transferable and limited license to use the Product from our
floating license server in your organization ("FLS"). Our floating license server will allow you to run the license
on a virtual machine and thus use it on any hardware in your organization (an "FLS License").
You may purchase from AMARISOFT or an AMARISOFT authorized distributor or reseller additional licenses
and place them on our license server to permit multiple hardware to use the Product.

2. SPECIAL TERMS
The following terms and conditions ("Special Terms") are specific to certain editions, versions and components
of the Product and are in addition to the provisions of Section 1. If any provision of the Special Terms
applicable to the Product conflicts with any other provision of this License, then the provision of the Special
Terms will supersede and control.

2.1 Additional license terms applicable to third party software
Certain components of the Product use or incorporate third-party software programs and/or libraries ("Third-
Party Software"), which are loaded or integrated (in both object and source code form) on the Product. You
agree that AMARISOFT's third-party licensors and suppliers are intended third party beneficiaries of all terms
and conditions of this License intended to protect intellectual property rights in the Product (including the
Third-Party Software) and limit certain uses thereof.

3. LIMITATIONS
You may not:
(a) modify, adapt, alter, translate or create derivative works of the Product or merge the Product with other
software other than as described in the Product's accompanying documentation or as approved of in writing
by AMARISOFT;
(b) lease, rent or loan the Product to any third party;
(c) sublicense, distribute or otherwise transfer the Product or any component thereof to any third party except
as expressly authorized in this Agreement;
(d) reverse engineer, decompile, disassemble or otherwise attempt to derive the source code of the Product;
(e) remove, alter or obscure any confidentiality or proprietary notices (including copyright and trademark
notices) of AMARISOFT or its licensors or suppliers on or accompanying the Product;
(f) allow third parties to access or use the Product including but not limited to using the Product in a time-
sharing arrangement, operating the Product as part of a service bureau or, except as expressly authorized
under Sections 1 and 2 otherwise using the Product for the use or benefit of third parties;
(g) reproduce or use the Product except as expressly authorized under Sections 1 and 2;
(h) use the Product with any other hardware than the hardware designated in your organization; or
(i) disclose or publish performance benchmark results for the Product. The rights granted under this License
apply only to this Product.
You must procure a separate license to use other AMARISOFT software. Furthermore, you may not permit end
users of the Product ("End Users") to conduct the restricted activities limited by items (a) through (e), (g) and
(i) above insofar as they apply to certain files, libraries and/or source code specifically designated as
"redistributables" by AMARISOFT in the accompanying printed or on-line documentation and that are
necessary to use your own application programs and other works created using the Product
("Redistributables"), and such End User's sublicense rights to the Redistributables are conditioned upon
compliance with such limitations. The limitations in this Section 3 apply equally to your use of the Product, in
whole or in part, including any component or Redistributable.

4. LIMITED WARRANTY AND DISCLAIMER
AMARISOFT warrants you, the initial purchaser and no other party, that any physical media included with the
Product, as and when provided to you, will be free of physical defects in materials and workmanship for a
period of thirty (30) days after the date that you initially acquire the Product.
Your exclusive remedy and AMARISOFT's sole liability for breach of this warranty is that AMARISOFT will
replace any defective media returned to AMARISOFT within the thirty (30) day warranty period. This warranty
does not apply to damages resulting from misuse, abuse or neglect. Any replacement media will be warranted
as above for the remainder of the original warranty period or twenty (20) days from the date we ship it to you,
whichever is longer.
EXCEPT FOR THIS EXPRESS LIMITED WARRANTY, THE PRODUCT IS PROVIDED "AS IS" AND WITHOUT
WARRANTY OF ANY KIND. AMARISOFT HEREBY EXCLUDES AND DISCLAIMS ALL IMPLIED OR STATUTORY
WARRANTIES, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
QUALITY, NONINFRINGEMENT, TITLE, RESULTS, EFFORTS OR QUIET ENJOYMENT. THERE IS NO WARRANTY
THAT THE PRODUCT WILL BE ERROR-FREE OR WILL FUNCTION WITHOUT INTERRUPTION. YOU ASSUME THE
ENTIRE RISK FOR THE RESULTS OBTAINED USING THE PRODUCT. TO THE EXTENT THAT AMARISOFT MAY NOT
DISCLAIM ANY WARRANTY AS A MATTER OF APPLICABLE LAW, THE SCOPE AND DURATION OF SUCH
WARRANTY WILL BE THE MINIMUM PERMITTED UNDER SUCH LAW.

5. SERVICES, UPDATES AND PRODUCT CHANGES
AMARISOFT is not required under this License Agreement to provide any installation, maintenance service,
training or other services to you, except those expressly provided herein. Such services, if available, must be
purchased separately.
If, pursuant to a separate support agreement or otherwise, AMARISOFT provides you with a new release, error
correction, update, upgrade or other modification to the Product, such modification will be deemed part of the
Product, and subject to the terms of this License Agreement, unless the modification is expressly provided
subject to a separate License Agreement.
AMARISOFT reserves the right at any time not to release or to discontinue release of any Product and to alter
prices, features, specifications, capabilities, functions, licensing terms, release dates, general availability or
other characteristics of any future releases of the Product.

5.1 Support extension
Unless otherwise indicated, AMARISOFT License includes a one-year email support period and update.
You can subscribe to an additional one-year support and update period, at the latest within the four months
following the expiry date of the initial purchase. You can then renew subscription to this extension every year,
with the same four-month deadline. The extended support and update period starts on the day after the initial
expiry date.
Once this four-month deadline is over, an extra administrative reactivation fee is invoiced in addition to the
extension cost. The extended support and update period starts when payment of the corresponding invoice is
received.

6. REGISTRATION
You must register the Product with AMARISOFT as a condition to your rights to use the Product.
For all concerned, you will be asked to provide identification information on the hardware (serial number,
internal inventory number, other) you plan to install the Product on.

7. CONFIDENTIALITY
You acknowledge that if part of the Product in source code form exists, it remains a confidential trade secret of
AMARISOFT. You agree to hold this information in confidence, not to disclose it to any person, and not to use it
for any purpose other than the use and operation of the Product as permitted under this License Agreement.

8. LIMITATION OF LIABILITY
IN NO EVENT WILL AMARISOFT BE LIABLE TO ANY PARTY FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL,
EXEMPLARY, SPECIAL OR PUNITIVE DAMAGES, INCLUDING ANY LOSS OF PROFIT, REVENUE, BUSINESS
OPPORTUNITY OR DATA, ARISING FROM OR RELATING TO THIS LICENSE AGREEMENT OR THE PRODUCT,
WHETHER IN CONTRACT, IN TORT, NEGLIGENCE OR OTHERWISE, EVEN IF AMARISOFT KNEW, SHOULD HAVE
KNOWN OR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. AMARISOFT'S TOTAL CUMULATIVE
LIABILITY ARISING FROM OR RELATED TO THIS LICENSE AGREEMENT OR THE PRODUCT, WHETHER IN
CONTRACT, IN TORT OR OTHERWISE, WILL NOT EXCEED THE FEES ACTUALLY PAID BY YOU UNDER THIS
LICENSE AGREEMENT. THIS SECTION 8 WILL APPLY EVEN IF AN EXCLUSIVE REMEDY HEREUNDER HAS FAILED
OF ITS ESSENTIAL PURPOSE.

9. TERM AND TERMINATION

9.1 Term
The term of this License Agreement will begin as of the date that you receive the Product and will remain in
effect unless terminated under this Section 9.

9.2 Termination for Convenience
You may terminate this License Agreement for any reason, or for no reason, by giving AMARISOFT a five-day
(5) written notice. You shall not be entitled to request repayment of any fee or payment made to AMARISOFT.

9.3 Termination for Cause
AMARISOFT may terminate this License Agreement if you breach your obligations hereunder. AMARISOFT will
affect such termination by giving you notice of termination, specifying therein the alleged breach. If your
breach is curable, you will have a grace period of thirty (30) days after such notice is served to cure the breach
described therein. If the breach is cured within the thirty (30) day grace period, then this License Agreement
will remain in effect; otherwise, this License Agreement will automatically terminate upon the conclusion of
the thirty (30) day grace period.

9.4 Effect of Termination
Upon the termination of this License Agreement for any reason the following terms shall apply:
(a) all rights granted under this License Agreement will immediately terminate and you must stop all use of the
Product and any Redistributables;
(b) you must return to AMARISOFT or destroy all copies of the Product provided to or made by you, and will,
within ten (10) days after the effective date of termination, provide AMARISOFT with written certification that
all such copies have been returned or destroyed; and
(c) all provisions of this License Agreement with the exception of the licenses granted in Sections 1 and 2, will
survive termination of this License Agreement for any reason.

10. GENERAL PROVISIONS

10.1 Audit
If you are entering into this License Agreement as an entity other than an individual (e.g., as a corporation, a
partnership, or other organization), during the term of this License and for three (3) years thereafter,
AMARISOFT or its outside auditors will have the right to conduct an audit of your records and computer
systems to verify that you have paid to AMARISOFT the correct amounts owed under this License Agreement
and determine whether the Products are being used in accordance with the terms of this License Agreement.
Any audit will be conducted during regular business hours at your facilities, with reasonable notice. You agree
to provide the audit team access to the relevant records and facilities and to provide reasonable assistance to
AMARISOFT in connection with this provision. You agree to pay the cost of the audit if any underpayments
during the period covered by the audit amount to more than five percent (5%) of the fees actually owed or if
the number of deployments of the Products is more than five percent (5%) of that licensed.

10.2 Hazardous Uses
The Product is not intended for use in connection with any application requiring fail-safe performance such as
the operation of nuclear power facilities, air traffic control or navigation systems, weapons control systems,
life support systems, or any other system whose failure could lead to injury, death, environmental damage or
mass destruction. You agree that AMARISOFT will have no liability of any nature, and you are solely
responsible, for any expense, loss, injury or damage incurred as a result of such use of the Product.

10.3 Entire License and Severability
This License Agreement constitutes the entire, final and exclusive agreement between you and AMARISOFT
regarding the specific license transaction described herein. If any provision of this License Agreement is held to
be illegal, invalid or unenforceable for any reason, then such provision will be enforced to the maximum extent
permissible and the remainder of the provisions of this License Agreement will remain in full force and effect.

10.4 Assignment
You may not transfer the Product, assign this License Agreement or assign any of your rights or delegate any of
your obligations under this License Agreement, by operation of law or otherwise (including by merger, sale of
assets or consolidation), without AMARISOFT's prior written consent. Any attempted assignment in violation
of this Section 10.4 will be void.

10.5 Export Control
You may not directly or indirectly transfer the Product, including its documentation, to any country if such
transfer would be prohibited by applicable law. You agree to the foregoing and you are representing and
warranting that you are not located in, under the control of, or a national or resident of any such country. You
will be solely responsible for identifying and complying with all laws of any jurisdiction regarding the import,
export or use of Products and technical data supplied by AMARISOFT. You will obtain at your own expense all
licenses, permits or approvals required by any government to use the Product.

10.6 Waiver and Modifications
All waivers must be in writing. Any waiver or failure to enforce a provision of this License Agreement on one
occasion shall not be deemed a waiver of any other provision or such provision on any other occasion. This
License Agreement may only be amended by a written document signed by both parties.

11. CRYPTOGRAPHY
The Product and the content provided by AMARISOFT may contain encryption software. The country in which
you are currently may have restrictions on the import, possession, and use, and/or re-export to another
country, of encryption software. BEFORE using any encryption software, please check the country's laws,
regulations and policies concerning the import, possession, or use, and re-export of encryption software, to
see if this is permitted.

12. NON-RECURRING ENGINEERING
The intellectual property of all items designed, developed and manufactured by AMARISOFT resides and
remains with AMARISOFT. The payment of Non-Recurring Engineering (NRE) charges by you does not confer
any rights to the intellectual property of any designs which emanate directly or indirectly from the
development. As part of any contract, whether it includes the payment of NRE or not, you must accept
without reservation that AMARISOFT is the rightful owner of all intellectual property rights for the Product
and/or other products which are supplied under this Licence Agreement or standard supplies to you. You must
not copy, or allow any third party to copy the designs of any AMARISOFT's products.

NR Software N3IWF version 2025-12-12*This document is based on the latest test release.Features may not be present in your current installed software. You may check their availability in change history or in your release documentation.If you require an up to date release, ask for it in a ticket.

Table of Contents

1 Introduction

2 Installation

2.1 Linux setup

2.1.1 Packages

2.1.2 OpenSSL

2.1.3 License key installation

2.2 LTEN3IWF installation

2.2.1 Basic LTEN3IWF configuration

2.3 Initial testing

3 Command line monitor reference

4 Configuration reference

4.1 Configuration file syntax

4.1.1 JSON merge rules

4.2 Properties

5 Remote API

5.1 Messages

5.2 Startup

5.3 Errors

5.4 Sample nodejs program

5.5 Common messages

5.6 N3IWF messages

6 Log file format

6.1 NAS layer

6.2 IP layer

6.3 NGAP and GTP-U layers

7 Change history

7.1 Version 2025-12-12

7.2 Version 2025-09-19

7.3 Version 2025-06-13

7.4 Version 2025-03-14

7.5 Version 2024-12-13

7.6 Version 2024-09-13

7.7 Version 2024-06-14

7.8 Version 2024-03-15

7.9 Version 2023-12-15

7.10 Version 2023-09-08

7.11 Version 2023-06-10

7.12 Version 2023-03-17

7.13 Version 2022-12-16

7.14 Version 2022-09-16

7.15 Version 2022-06-17

7.16 Version 2022-03-18

7.17 Version 2021-12-17

7.18 Version 2021-09-17

8 License

License terms

NR Software N3IWF
version 2025-12-12*
This document is based on the latest test release.
Features may not be present in your current installed software. You may check their availability in change history or in your release documentation.
If you require an up to date release, ask for it in a ticket.