<html><body><div style="color:#000; background-color:#fff; font-family:lucida console, sans-serif;font-size:12pt"><div><font face="Times New Roman">
</font></div><div></div><font face="Times New Roman"><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Hi All,<var id="yui-ie-cursor"></var><o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>We are using two Multi-Core MIPS 64 bit Processors. (One acts
as an IKE initiator and another as an IKE responder). We are running strongswan
in both systems. Both the systems have 1Gbps Ethernet cards, which are
connected to 1 Gbps L2 switch. The Linux OS runs on all these cores. We have
modified the strongswan code (5.0.4) so as to restrict one instance of
starter/charon to run on first core but the group of threads (created and
managed by the strongswan based upon configuration setting in strongswan.conf
file) in order to process a large number of tasks, will be scheduled and
distributed among multi cores. <o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>We are doing the stability/performance benchmark testing (i.e.,
to measure the maximum no. of IPsec/IKEv2 tunnels without traffic, Tunnel
setup/teardown rate) using the load-tester plugin.</span><font face="Calibri"> </font><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>We
followed all the instructions to install and build the load tester plugin to
work. The strong swan wiki page says that, this plugin allows setting up
thousands of tunnels concurrently against the remote host. With 200 IPsec
tunnels (initiators = 10, iterations = 20 and delay = 20 in load-tester of
strongswan.conf), it works well. We mean, it could able to bring up all the
tunnels. While configuring for 300 IPsec tunnels, it cannot bring all the
tunnels. Sometimes it creates 200, 210, 198 etc. We observed that, at responder
end, it writes the following message “ignoring IKE_SA setup from 30.30.30.1,
peer too aggressive” in charon.log. Thus we increased the maximum number of
half-open IKE_SAs by configuring the block_threshold to 300 in strongswan.conf of
IKE responder side.<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Although we did not encounter with aforesaid message, it could
not create all 300 IPsec tunnels. Furthermore, it caused the following error
message at responder end . In charon.log, it writes the followings <o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c13-r1.strongswan.org',
but MAC mismatched[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] <o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>[IKE] tried 1 shared key for 'srv.strongswan.org' - 'c15-r1.strongswan.org',
but MAC mismatched[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] <o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Please find our configuration below for Initiator as well as
Responder.<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 12pt; mso-bidi-font-size: 10.0pt;'>Configurations at IKE initiator<o:p></o:p></span></u></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><i style="mso-bidi-font-style: normal;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>strongswan.conf
<o:p></o:p></span></u></i></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'># number of worker threads in charon<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>threads = 16<o:p></o:p></span></div><div>
<span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>replay_window =
32<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>plugins {<o:p></o:p></span></div><div>
</div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>load-tester {<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>enable = yes<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>initiators = 10<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>iterations = 30<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>delay = 100<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>responder = 30.30.30.2<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>proposal = aes128-sha1-modp1024<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>initiator_auth = psk<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>responder_auth = psk<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>request_virtual_ip = no<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>ike_rekey = 0<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>child_rekey = 0<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>delete_after_established = no<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>shutdown_when_complete = no<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>}<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><i style="mso-bidi-font-style: normal;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>ipsec.secrets<o:p></o:p></span></u></i></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>@srv.strongswan.org %any : PSK "strongSwan"<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 12pt; mso-bidi-font-size: 10.0pt;'>Configurations at IKE responder<o:p></o:p></span></u></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><i style="mso-bidi-font-style: normal;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>ipsec.conf<o:p></o:p></span></u></i></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>conn %default<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>ikelifetime=24h<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>keylife=23h<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>rekeymargin=5m<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>keyingtries=1<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>keyexchange=ikev2<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>ike=aes128-sha1-modp1024!<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>mobike=no<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>conn host-host<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>left=30.30.30.2<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>leftsubnet=30.30.30.2/8<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>rightid=%any<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>leftauth=psk<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>leftfirewall=yes<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>right=30.30.30.1<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>rightsubnet=30.30.30.1/8<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>leftid=@srv.strongswan.org<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>rightauth=psk<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt; text-indent: 0.5in;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>type=tunnel<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>authby=secret<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>rekey=no<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>reauth=no<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span>auto=add<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><i style="mso-bidi-font-style: normal;"><u><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>strongswan.conf<o:p></o:p></span></u></i></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span># number of
worker threads in charon<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>threads = 16<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;"> </span>replay_window =
32<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><span style="mso-spacerun: yes;">
</span>block_threshold=300<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'><o:p> </o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>We went thru <span style="mso-spacerun: yes;"> </span><a href="http://permalink.gmane.org/gmane.network.vpn.strongswan.user/6057">http://permalink.gmane.org/gmane.network.vpn.strongswan.user/6057</a>
and found that, <span style="mso-spacerun: yes;"> </span>Martin has told (in his response
to Victor) strongswan can handle several ten thousand tunnels (IPsec/IKEv2) when
configured <span style="mso-spacerun: yes;"> </span>properly. Can anyone please suggest
where we are wrong or is it the limit? <span style="mso-spacerun: yes;"> </span><span style="mso-spacerun: yes;"> </span><o:p></o:p></span></div><div>
</div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Regards,<o:p></o:p></span></div><div>
</div><div class="MsoNormal" style="margin: 0in 0in 10pt;"><span style='line-height: 115%; font-family: "Comic Sans MS"; font-size: 10pt;'>Chinmaya<o:p></o:p></span></div><div>
</div></font><div></div></div></body></html>