[strongSwan-dev] load-tester plugin modification

Martin Willi martin at strongswan.org
Fri Jul 29 12:16:54 CEST 2011

> 1) Which is the main missing functionality that restricts load-tester
> from taking traffic?

The load-tester plugin currently generates IKEv2 protocol exchanges,
mainly to test the daemon itself. It can simulate many clients, but only
the key exchange part.

All application data is processed by the kernel, and any tool can be
used to generated this traffic. You can extend the load tester by
generating traffic to process by the kernel, but it won't have much in
common with the existing load-tester functionality.
> 2) Is load-tester plugin the only part of the code that needs to be
> modified? Or should I look elsewhere as well?

You'd have to generate the traffic that matches an existing IPsec
connection. This can be done in the load-tester plugin, or in a
dedicated tool. 
> 3) Am I after big and many changes or something trivial?

Generating traffic is probably not that difficult, but it depends on
what you actually want to test.
> 4) I've seen revision 015c1568: "Don't simulate traffic on load-tester
> kernel interface". Is this correction made in order not to allow
> traffic simulation?

No. The load-tester can use a "faked" kernel interface stub, so that the
negotiated IPsec SAs won't get installed to the system. This is useful
in the load-tester if many identical tunnels get established that would
conflict in the kernel. This fix just changes the behavior of this stub.
> 5) Something else that I should take into account?

What's wrong with using iperf or a similar tool to test your IPsec


More information about the Dev mailing list