<div>Hi</div>
<div> </div>
<div>I started the load-tester using settings as per advice below from Martin. I am observing the following issue (trace from the rw-server side):</div>
<div>-----------------------------------------------------------------------------</div>
<div>15[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]<br>15[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>15[CFG] looking for peer configs matching 172.17.10.10[<a href="http://srv.strongswan.org">srv.strongswan.org</a>]...172.17.10.253[<a href="http://c5-1.strongswan.org">c5-1.strongswan.org</a>]<br>
15[CFG] no matching peer config found<br>15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>15[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]</div>
<div>---------------------------------------------------------------------------</div>
<div> </div>
<div>- So as per the advice below, i had used the default-psk auth secret as configured below in the ipsec.secrets file on the rw-server:</div>
<div> </div>
<div>: PSK "default-psk"</div>
<div> </div>
<div>- On the rw-server i used the following ipsec.conf file settings and i started ipsec using "ipsec start"</div>
<div>--------------------------------------</div>
<div>[root@dvtpc1 etc]# cat ipsec.conf<br># /etc/ipsec.conf - strongSwan IPsec configuration file</div>
<div>config setup<br> strictcrlpolicy=no<br> crlcheckinterval=180<br> plutostart=yes<br> charonstart=yes<br> nat_traversal=yes</div>
<div> </div>
<div>conn %default<br> ikelifetime=60m<br> keylife=30m<br> rekeymargin=3m<br> keyingtries=1<br> mobike=no</div>
<div> </div>
<div>conn rw-server<br> left=172.17.10.10<br> leftsubnet=<a href="http://192.168.20.0/24">192.168.20.0/24</a><br> right=%any<br> rightsourceip=<a href="http://10.3.0.0/16">10.3.0.0/16</a><br> authby=secret<br>
keyexchange=ikev2<br> type=tunnel<br> auto=add<br>#<br>---------------------------------------------------------</div>
<div> </div>
<div>- On the load-tester-plugin enabled linux-system, i used the following settings</div>
<div> </div>
<div>--------------------------------------</div>
<div>[root@dvtpc3 etc]# cat strongswan.conf<br># strongswan.conf - strongSwan configuration file</div>
<div>charon {<br> reuse_ikesa = no<br> # number of worker threads in charon<br> threads = 32</div>
<div> # send strongswan vendor ID?<br> # send_vendor_id = yes</div>
<div> plugins {</div>
<div> sql {<br> # loglevel to log into sql database<br> loglevel = -1</div>
<div> # URI to the database<br> # database = sqlite:///path/to/file.db<br> # database = mysql://user:password@localhost/database<br> }</div>
<div> load-tester {</div>
<div> # enable the plugin<br> enable = yes<br> # 50 connections, ten in parallel<br> initiators = 5<br> iterations = 10<br> # use a delay of 100ms, overall time is: iterations * delay<br>
delay = 100<br> # address of the gateway<br> remote = 172.17.10.10<br> # IKE-proposal to use<br> proposal = aes128-sha1-modp1024<br> # use faster PSK authentication instead of 1024bit RSA<br>
initiator_auth = psk<br> responder_auth = psk<br> # request a virtual IP using configuration payloads<br> request_virtual_ip = yes<br> # disable IKE_SA rekeying (default)<br>
ike_rekey = 0<br> # enable CHILD_SA every 60s<br> child_rekey = 60<br> # do not delete the IKE_SA after it has been established (defaul t)<br>
delete_after_established = no<br> # do not shut down the daemon if all IKE_SAs established<br> shutdown_when_complete = no<br> }</div>
<div> </div>
<div> }</div>
<div> # ...<br>}</div>
<div>pluto {</div>
<div>}</div>
<div>libstrongswan {</div>
<div> # set to no, the DH exponent size is optimized<br> # dh_exponent_ansi_x9_42 = no<br>}<br>[root@dvtpc3 etc]#</div>
<div> </div>
<div>--------------------------------------------------------------------</div>
<div> </div>
<div>- On the load-tester-plugin-enable system i started ipsec by using "ipsec start --nofork" (because i do not know how to start charon directly as suggested below :- ) sorry..i hope starting ipsec using ipsec start also is valid for the load-tester plugin)</div>
<div> </div>
<div>- Iam observing the following messages (auth failed) on the load-tester-enabled pc:</div>
<div>---------------------------------</div>
<div> </div>
<div>16[IKE] received AUTHENTICATION_FAILED notify error<br>14[IKE] authentication of '<a href="http://c14-r1.strongswan.org">c14-r1.strongswan.org</a>' (myself) with pre-shared key<br>14[IKE] establishing CHILD_SA load-test<br>
14[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>14[NET] sending packet: from 172.17.10.253[500] to 172.17.10.10[500]<br>15[IKE] authentication of '<a href="http://c12-r1.strongswan.org">c12-r1.strongswan.org</a>' (myself) with pre-shared key<br>
17[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]<br>17[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>17[IKE] received AUTHENTICATION_FAILED notify error<br>15[IKE] establishing CHILD_SA load-test<br>
15[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>15[NET] sending packet: from 172.17.10.253[500] to 172.17.10.10[500]<br>18[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]<br>
18[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>19[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]<br>19[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>
19[IKE] received AUTHENTICATION_FAILED notify error<br>22[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]<br>22[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
18[IKE] authentication of '<a href="http://c15-r1.strongswan.org">c15-r1.strongswan.org</a>' (myself) with pre-shared key<br>18[IKE] establishing CHILD_SA load-test<br>18[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]<br>
18[NET] sending packet: from 172.17.10.253[500] to 172.17.10.10[500]<br>23[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]<br>23[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]<br>23[IKE] received AUTHENTICATION_FAILED notify error</div>
<div>------------------------------------------------------------------------------------------</div>
<div> </div>
<div>so i guess, the default psk auth expected is still based on fqdn values and not the "default-psk" secret value. Can you suggest where should i edit for enabling the default-psk value for psk auth to work</div>
<div> </div>
<div>thanks for your time and for your help</div>
<div> </div>
<div>with regards</div>
<div>rajiv</div>
<div> </div>
<div> </div>
<div>>>fromMartin Willi <a href="mailto:martin@strongswan.org">martin@strongswan.org</a> <br>>>toRajiv Kulkarni <<a href="mailto:rajivkulkarni69@gmail.com">rajivkulkarni69@gmail.com</a>></div>
<p>>><a href="mailto:ccusers@lists.strongswan.org">ccusers@lists.strongswan.org</a></p>
<p>>>dateFri, Jul 29, 2011 at 5:34 PM<br>>>subjectRe: [strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer >>gws with 1 IKE SA)<br>>>Important mainly because of your interaction with messages in the conversation.</p>
<p>>>Hi,</p>
<p><br>> - What is the meaning of "initiators=10 and iterations=100". i would<br>> think that for simulating establishment of 1000 simultaneous tunnels i<br>> would want 1000 initiators to be running right? Why only 10 and<br>
> running them 100 times?</p>
<p><br>"initiators" defines the number of threads. Each thread initiates<br>"iterations" connections. More initiators means more parallelism. Make<br>sure to have enough threads defined with the charon "threads" option<br>
(roughly at least 10 + initiators).</p>
<p><br>> - what will be the configuration in "ipsec.conf"? will there be a<br>> ipsec.conf file used for this load-test scenario on the<br>> rw-client-simulator pc.</p>
<p><br>No, the load-tester works independently from any ipsec.conf<br>configuration. It provides a dynamic configuration and credential<br>generation.</p>
<p><br>> - So this means that the "ipsec.secrets" file will be used? right? any<br>> sample file for this load-test scenario for say simulating 1000<br>> tunnels/clients?</p>
<p><br>A single PSK can be defined in the load-tester configuration using the<br>"preshared_key" option. But you of course can rely on credentials<br>defined with ipsec.secrets.</p>
<p>> - Also iam confused as to what should be the content of the</p>
<p>> "ipsec.secrets" file on the rw-client-simulator for PSK with FQDN? any<br>> example will help because iam thinking for 1000 clients how many PSK<br>> statments and what FQDN to use in the ipsec.secrets file</p>
<p><br>Try it without any ipsec.secrets credentials, using the PSK provided<br>through load-tester is fine.</p>
<p>> - Do i just use the command "ipsec start" or is there any other</p>
<p>> options required to be used?</p>
<p><br>As no ipsec.conf is involved, the starter is actually not required. I<br>prefer to launch charon directly when doing load-tests.</p>
<p><br>> - What will be the contents of the ipsec.secrets file on this server<br>> m/c? I mean we need to use PSK with FQDN for 1000 clients right? any<br>> sample ipsec.secrets file will be a tremendous help</p>
<p><br>The default PSK used by the load-tester plugin is "default-psk", but you<br>can override it using the option mentioned above. You can define</p>
<p>: PSK "default-psk"</p>
<p>in the responders ipsec.secrets to use it for all identities.</p>
<p>> request_virtual_ip = yes</p>
<p>Please be aware that the Linux kernel can't handle hundreds of IPs very<br>efficiently. Your test system will slow down if you install an IP with<br>each tunnel. You can avoid this by setting</p>
<p>charon {<br> install_virtual_ip = no<br>}</p>
<p>in strongswan.conf on the initiating system.<br><br></p>
<div class="gmail_quote">On Fri, Jul 29, 2011 at 5:15 PM, Rajiv Kulkarni <span dir="ltr"><<a href="mailto:rajivkulkarni69@gmail.com">rajivkulkarni69@gmail.com</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div>Hi Tobias</div>
<div> </div>
<div>Thanks for the reply. </div>
<div> </div>
<div>No, i did not know of the load-tester plugin till you told me about it. I followed your advice and started setting up the load-tester plugin with strongswan-4.5.2 on Linux-Fedora servers</div>
<div> </div>
<div>- As mentioned in one of the mail-list on Load-Tester plugin, I have assgined one linux-box for simulating the road-warrior-clients and the other as the rw-server</div>
<div> </div>
<div>- Now On the rw-client-simulator, i have setup the following:</div>
<div> </div>
<div>strongswan.conf file</div>
<div>------------------------<br>....</div>
<div>....</div>
<div>charon {<br> reuse_ikesa = no<br> threads = 32<br><br> plugins {<br> load-tester {<br> # enable the plugin<br> enable = yes<br> # 1000 connections, ten in parallel<br>
initiators = 10<br> iterations = 100<br> # use a delay of 100ms, overall time is: iterations * delay = 100s<br> delay = 100<br> # address of the gateway<br> remote = 192.168.0.1<br>
# IKE-proposal to use<br> proposal = aes128-sha1-modp1024<br> # use faster PSK authentication instead of 1024bit RSA<br> initiator_auth = psk<br> responder_auth = psk<br>
# request a virtual IP using configuration payloads<br> request_virtual_ip = yes<br> # disable IKE_SA rekeying (default)<br> ike_rekey = 0<br> # enable CHILD_SA every 60s<br>
child_rekey = 60<br> # do not delete the IKE_SA after it has been established (default)<br> delete_after_established = no<br> # do not shut down the daemon if all IKE_SAs established<br>
shutdown_when_complete = no<br> }<br> }<br>}<br>...</div>
<div>...<br></div>
<div>Now,here i request for some help and clarfication as iam unable to understand the exact usage and flow of the load-test scenario:</div>
<div> </div>
<div>-------------------------------------------</div>
<div>on the rw-client-simulator pc</div>
<div>-------------------------------------------</div>
<div> </div>
<div>- What is the meaning of "initiators=10 and iterations=100". i would think that for simulating establishment of 1000 simultaneous tunnels i would want 1000 initiators to be running right? Why only 10 and running them 100 times?</div>
<div> </div>
<div>- Would the initiators change after every 10th tunnel is established?....????? or what???</div>
<div> </div>
<div>- what will be the configuration in "ipsec.conf"? will there be a ipsec.conf file used for this load-test scenario on the rw-client-simulator pc.</div>
<div> </div>
<div>- The wiki page on load-test plugin says</div>
<div>"For PSK authentication, FQDN identities are used. The server uses <em><a href="http://srv.strongswan.org/" target="_blank">srv.strongswan.org</a></em>, the client uses an identity in the form <em><a href="http://c1-r1.strongswan.org/" target="_blank">c1-r1.strongswan.org</a>"</em></div>
<div><em></em> </div>
<div>- So this means that the "ipsec.secrets" file will be used? right? any sample file for this load-test scenario for say simulating 1000 tunnels/clients?</div>
<div> </div>
<div>- Also iam confused as to what should be the content of the "ipsec.secrets" file on the rw-client-simulator for PSK with FQDN? any example will help because iam thinking for 1000 clients how many PSK statments and what FQDN to use in the ipsec.secrets file</div>
<div> </div>
<div>- Do i just use the command "ipsec start" or is there any other options required to be used?</div>
<div> </div>
<div>----------------------------------------------------------------------</div>
<div>On the RW-Server (RoadWarrior-Server) Machine:</div>
<div>-----------------------------------------------------------------------</div>
<div> </div>
<div>Once again as adviced in one of the mail-list response on load-tester plugin query , On the rw-server-simulator pc, iam using the following:</div>
<div> </div>
<div>- I have NOT configured anything in the strongswan.conf file i.e as adviced i have not enabled the load-tester plugin on the server. Is this correct?</div>
<div> </div>
<div>- Now the configurations:</div>
<div> </div>
<div>ipsec.conf file</div>
<div> </div>
<div># /etc/ipsec.conf - strongSwan IPsec configuration file</div>
<div>config setup<br> crlcheckinterval=180<br> strictcrlpolicy=no<br> plutostart=no<br> charonstart=yes</div>
<div> </div>
<div>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br> keyexchange=ikev2<br> mobike=no</div>
<div> </div>
<div>conn rw<br> left=192.168.0.1<br> leftsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a><br> right=%any<br> rightsourceip=<a href="http://10.3.0.0/28" target="_blank">10.3.0.0/28</a><br>
auto=add</div>
<div> authby=secret</div>
<div> </div>
<div>- I feel that iam still missing some more important configurations in the ipsec.conf file on this server</div>
<div> </div>
<div>- What will be the contents of the ipsec.secrets file on this server m/c? I mean we need to use PSK with FQDN for 1000 clients right? any sample ipsec.secrets file will be a tremendous help</div>
<div> </div>
<div> </div>
<div>I am stuck at this point of setup and i would be greatful for your help and advice</div>
<div> </div>
<div>thanks & regards</div>
<div>rajiv</div>
<div>
<div></div>
<div class="h5">
<div> </div>
<div class="gmail_quote">On Mon, Jul 18, 2011 at 7:44 PM, Tobias Brunner <span dir="ltr"><<a href="mailto:tobias@strongswan.org" target="_blank">tobias@strongswan.org</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hi Rajiv,<br>
<div><br>> - is there a better way and a simple and elegant way to simulate 1000<br>> tunnels (2000 SAs)?<br><br></div>Did you already have a look at the load-tester plugin [1]?<br><br>Regards,<br>Tobias<br><br>[1] <a href="http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests" target="_blank">http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests</a><br>
<br>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</blockquote></div><br></div></div></blockquote></div><br>