[strongSwan-dev] load-tester plugin modification

Gerry Travlos G.Travlos at mycosmos.gr
Fri Jul 29 14:33:54 CEST 2011 

Hi Martin,

> All application data is processed by the kernel, and any tool can be
> used to generated this traffic.

> You'd have to generate the traffic that matches an existing IPsec
> connection. This can be done in the load-tester plugin, or in a
> dedicated tool.

> What's wrong with using iperf or a similar tool to test your IPsec
> tunnel?

So you mean that I can use the load tester to establish a number of tunnels and then generate traffic (i.e. pings) for each of these tunnels with iperf?
I thought that this is not supported by load-tester plugin.

What I want to test is a lot of tunnels with traffic to a particular gateway.

Regards,
Jerry

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org]
Sent: Fri 29-Jul-11 13:16
To: Gerry Travlos
Cc: dev at lists.strongswan.org
Subject: Re: [strongSwan-dev] load-tester plugin modification
 
Hi,
> 
> 1) Which is the main missing functionality that restricts load-tester
> from taking traffic?

The load-tester plugin currently generates IKEv2 protocol exchanges,
mainly to test the daemon itself. It can simulate many clients, but only
the key exchange part.

All application data is processed by the kernel, and any tool can be
used to generated this traffic. You can extend the load tester by
generating traffic to process by the kernel, but it won't have much in
common with the existing load-tester functionality.
> 
> 2) Is load-tester plugin the only part of the code that needs to be
> modified? Or should I look elsewhere as well?

You'd have to generate the traffic that matches an existing IPsec
connection. This can be done in the load-tester plugin, or in a
dedicated tool. 
> 
> 3) Am I after big and many changes or something trivial?

Generating traffic is probably not that difficult, but it depends on
what you actually want to test.
> 
> 4) I've seen revision 015c1568: "Don't simulate traffic on load-tester
> kernel interface". Is this correction made in order not to allow
> traffic simulation?

No. The load-tester can use a "faked" kernel interface stub, so that the
negotiated IPsec SAs won't get installed to the system. This is useful
in the load-tester if many identical tunnels get established that would
conflict in the kernel. This fix just changes the behavior of this stub.
> 
> 5) Something else that I should take into account?

What's wrong with using iperf or a similar tool to test your IPsec
tunnel?

Regards
Martin


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20110729/64af7ad4/attachment.html>

More information about the Dev mailing list