<span class="Apple-style-span" style="background-color: rgb(255, 255, 255); "><pre><font class="Apple-style-span" face="'Times New Roman'"><font class="Apple-style-span" size="3">Hello everyone,
I need some help regarding load testing against remote host. I have my strongswan.conf file as said in the below link
<a href="http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests">http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests</a>
Right now i am using EAP Authentication, i.e in the strongswan.conf file i have set </font><b style="font-size: medium; ">""initiator_auth = eap""</b><font class="Apple-style-span" size="3">. But Tunnel is not created. When i give ipsec statusall its telling SA NONE. In the server side its giving </font><b style="font-size: medium; ">error for Tunnel down as TS Unacceptable</b><font class="Apple-style-span" size="3">. So i tried configuring </font><b style="font-size: medium; ">rightsubnet </b><font class="Apple-style-span" size="3">in the client side </font><b style="font-size: medium; ">ipsec.conf</b><font class="Apple-style-span" size="3"> file at </font><b style="font-size: medium; ">conn %default </b><font class="Apple-style-span" size="3">but still its giving the same error !!
1. Does it have anything to do with </font><b style="font-size: medium; ">reuse_ikesa </b><font class="Apple-style-span" size="3">or </font><b style="font-size: medium; ">ike_rekey </b><font class="Apple-style-span" size="3">or </font><b style="font-size: medium; ">child_rekey</b><font class="Apple-style-span" size="3"> or </font><b style="font-size: medium; ">nat_traversal </b><font class="Apple-style-span" size="3">parameters in the strongswan.conf file ?
2. Do i have to do anything with the </font><b style="font-size: medium; ">ip xfrm state</b><font class="Apple-style-span" size="3"> and </font><b style="font-size: medium; ">ip xfrm pol</b><font class="Apple-style-span" size="3"> commands ???
3. I also observed some variations in the SA field when i give </font><b style="font-size: medium; ">ipsec statusall</b><font class="Apple-style-span" size="3"> command immediately after a second after starting ipsec.. but after 3 or 4 seconds when i give </font><b style="font-size: medium; ">ipsec statusall then SA field was NONE</b><font class="Apple-style-span" size="3">... Here is the sample log..
Connections:
load-test: 0.0.0.0...192.168.17.1
load-test: local: [CN=srv, OU=load-test, O=strongSwan] uses public key authentication
load-test: remote: [%any] uses EAP authentication
load-test: child: dynamic === dynamic
Security Associations:
load-test[1]: CONNECTING, 172.63.102.20[<a href="mailto:fbsr-0000000000000001@eapds2460.iprc.nlt.in">fbsr-0000000000000001@eapds2460.iprc.nlt.in</a>]...192.168.17.1[<a href="http://iprc.nlt.in">iprc.nlt.in</a>]
load-test[1]: IKE SPIs: 18d5752ca9dc3152_i* 5eaa017e1baa4a29_r
load-test[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
load-test[2]: CONNECTING, 172.63.102.20[<a href="mailto:fbsr-0000000000000002@eapds2460.iprc.nlt.in">fbsr-0000000000000002@eapds2460.iprc.nlt.in</a>]...192.168.17.1[<a href="http://iprc.nlt.in">iprc.nlt.in</a>]
load-test[2]: IKE SPIs: 6d04312601f85395_i* 14e8b0cbaf5a307c_r
load-test[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
load-test[3]: CONNECTING, 172.63.102.20[<a href="mailto:fbsr-0000000000000003@eapds2460.iprc.nlt.in">fbsr-0000000000000003@eapds2460.iprc.nlt.in</a>]...192.168.17.1[<a href="http://iprc.nlt.in">iprc.nlt.in</a>]
load-test[3]: IKE SPIs: 885ea46503d1ef5b_i* 5dccc3731da91a99_r
load-test[3]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
load-test[4]: CONNECTING, 172.63.102.20[<a href="mailto:fbsr-0000000000000004@eapds2460.iprc.nlt.in">fbsr-0000000000000004@eapds2460.iprc.nlt.in</a>]...192.168.17.1[<a href="http://iprc.nlt.in">iprc.nlt.in</a>]
load-test[4]: IKE SPIs: 5df279ec4e45815e_i* 93012abd904120ec_r
load-test[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
load-test[5]: CONNECTING, 172.63.102.20[%any]...192.168.17.1[%any]
</font><b><font class="Apple-style-span" size="4"> load-test[5]: IKE SPIs: 770a8629b52f07cd_i* 0000000000000000_r</font></b><font class="Apple-style-span" size="3">
Observe the above line. Here i am creating 10 iterations but after 4th iteration IKE SPI values are zeros
</font><b><font class="Apple-style-span" size="4">After 5 seconds.. </font></b><font class="Apple-style-span" size="3">
strongswan-4.4.0]# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.4.0):
uptime: 3 seconds, since Aug 23 18:17:09 2011
worker threads: 25 idle of 32, job queue load: 0, scheduled events: 60
loaded plugins: aes des sha1 sha2 md5 random x509 pubkey pkcs1 pgp dnskey pem fips-prf xcbc hmac gmp attr load-tester kernel-netlink socket-raw stroke updown eap-identity eap-ds2460 resolve
Listening IP addresses:
135.254.212.216
192.168.122.1
172.63.102.20
Connections:
load-test: 0.0.0.0...192.168.17.1
load-test: local: [CN=srv, OU=load-test, O=strongSwan] uses public key authentication
load-test: remote: [%any] uses EAP authentication
load-test: child: dynamic === dynamic
Security Associations:
none
Please help me solving this problem
Regards,
Naren</font></font></pre></span>