<html><body><div style="color:#000; background-color:#fff; font-family:lucida console, sans-serif;font-size:12pt"><div>Hi ,</div><div> </div><div>I am using load-tester plugin to create one thousands of IPsec connections/tunnels. In our scenario two security gateways A (IKE initiator) and B (IKE responder) will connect the two subnets X and Y with each other through a VPN tunnel set up between the two gateways. I found, each IKE initiator is assigned with an unique IP address by the IKE responder (with CFG_REPLY during the IKE_AUTH exchange) and IPsec/child SA are created using the same. But  what I see with load-tester is that TSr is by default the remote IP  address (as it is configured in strongswan.conf). It does not take the leftsubnet parameter (configured in ipsec.conf at gateway B).  I think, it's not supported. Can anyone please confirm? I need to send the traffic from  host behind Y to host behind X and vice-versa via
 IPsec tunnels established between A and B. Is there any way to accomplish the same? Do I need to modify the source codes? Any pointer in this regard will be highly appreciated.</div><div> </div><div>Thanks in advance for your support.</div><div> </div><div>10.0.0.0/8 -- | 30.30.30.11 | === | 30.30.30.21 | -- 40.0.0.0/8<br>  X             A                B             Y</div><div><br>Configuration on gateway  A:</div><div> </div><div>strongswan.conf</div><div> </div><div>        threads = 16<br>        replay_window = 32<br>        dos_protection = no<br>       
 block_threshold=1000<br>        cookie_threshold=1000<br>        init_limit_half_open=1000<br>        retransmit_timeout=60<br>        retransmit_tries=30<br>        install_virtual_ip=no<br>        install_routes=no<br>        close_ike_on_child_failure=yes<br>        ikesa_table_size = 512<br>        ikesa_table_segments = 16<br>        reuse_ikesa = no<br>  <br> </div><div> </div><div>load-tester {<br>    enable = yes<br>                   initiators =
 10<br>                   iterations = 100<br>                   delay = 20<br>                   responder = 30.30.30.21<br>                   proposal = aes128-sha1-modp1024<br>                   initiator_auth = psk<br>                   responder_auth = psk<br>                   request_virtual_ip =
 yes<br>                   ike_rekey = 0<br>    child_rekey = 0<br>                   delete_after_established = no<br>                   shutdown_when_complete = no</div><div><br>                  }</div><div><br>Configuration on gateway  B:</div><div> </div><div>strongswan.conf</div><div>        </div><div><span class="tab">    <span class="tab">    </span></span>threads = 16<br>        replay_window = 32<br>       
 block_threshold=1000<br>        cookie_threshold=1000<br>        init_limit_half_open=1000<br>        half_open_timeout=1000<br>        dos_protection = no<br>        install_virtual_ip=no<br>        install_routes=no<br>        close_ike_on_child_failure=yes<br>        ikesa_table_size = 512<br>       ikesa_table_segments = 16<br>        reuse_ikesa = no</div><div> </div><div>ipsec.conf</div><div> </div><div>conn %default<br>        ikelifetime=24h<br>        keylife=23h<br>       
 rekeymargin=5m<br>        keyingtries=1<br>        keyexchange=ikev2<br>        ike=aes128-sha1-modp1024!<br>        mobike=no</div><div><br>conn host-host<br>        left=30.30.30.21<br>        leftsubnet=40.0.0.0/8<br>        rightid=%any<br>        leftauth=psk<br>        leftfirewall=yes<br>        rightsourceip=10.0.0.0/8<br>        <a href="mailto:leftid=@srv.strongswan.org">leftid=@srv.strongswan.org</a><br>        rightauth=psk<br>        type=tunnel<br>       
 authby=secret<br>        rekey=no<br>        reauth=no<br>        auto=add</div><div> </div><div>Regards,<br>Chinmaya</div></div></body></html>