[strongSwan-dev] Load-tester issue

meenakshi bangad mbangad at gmail.com
Wed Feb 11 23:11:30 CET 2015


routing Problems to reach out thru the tunnel using load-tester

I am trying to use the load-tester to stress test my VPN server. Using ver
5.2.2. For simplicity I am trying to bring just one connection up. My
tunnel gets
established but I am not able to ping the outside world. Here is what my ip
route shows:

I did a ipsec load-tester initiate 1 1 and got a private IP if

*# ip route show table 220* via dev eno16780032  proto static  src

The above line rather should be ( I would think)
default via dev eno16780032  proto static  src

Not sure how to fix this.
*Also I see that my ipsec statusall shows everything to be /32 but i have
configured on the server for it to be /24.*
Sample output
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux
3.10.0-123.13.1.el7.x86_64, x86_64):
  uptime: 3 minutes, since Feb 11 17:02:20 2015
  malloc: sbrk 2560000, mmap 0, used 541936, free 2018064
  worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon ldap pkcs11 aes des rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac ccm gcm curl attr
load-tester kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic
eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap
xauth-pam xauth-noauth tnc-tnccs dhcp
Listening IP addresses:
   load-test:  IKEv1
   load-test:   local:  [C=CH, O=strongSwan, CN=vpntest.x.com] uses public
key authentication
   load-test:   remote: [%any] uses public key authentication
   load-test:   remote: [%any] uses XAuth authentication: any with XAuth
identity '%any'
   load-test:   child:  dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
   load-test[1]: ESTABLISHED 3 minutes ago,[CN=r]...[C=CH, O=strongSwan, CN=vpntest.x.com]
   load-test[1]: IKEv1 SPIs: f0850451c41b60ae_i* 245d2d63feb59e08_r,
rekeying disabled
   load-test[1]: IKE proposal:
   load-test{1}:  REKEYING, TUNNEL, expires in 35 seconds
   load-test{1}: ===
   load-test{1}:  INSTALLED, TUNNEL, ESP SPIs: c712d0f2_i c00b39c3_o
   load-test{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 35 seconds
   load-test{1}: ===

Here is my server side ipsec.conf

conn rw
    leftid="C=CH, O=strongSwan, CN=vpntest.x.com"

On the client side, my ipsec.conf is empty. Everything is configured thru
strongswan.conf .
# Refer to the strongswan.conf(5) manpage for details
# Configuration changes should be made in the included files

charon {
#   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
nonce curl xauth-generic kernel-netlink socket-default updown stroke

    dh_exponent_ansi_x9_42 = no
    reuse_ikesa = no
    threads = 32

#    install_routes=no

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # 10000 connections, ten in parallel
            initiators = 0
            iterations = 1
            # use a delay of 100ms, overall time is: iterations * delay =
            delay = 100
            # address of the gateway (releases before 5.0.2 used the
"remote" keyword!)
            responder =
            # IKE-proposal to use
            proposal = aes128-sha1-modp2048
            esp = aes128-sha1
            #proposal = aes128-sha1-modp768
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey|xauth
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            #initiator_id = "OU=MobileXpression, CN=r"
            initiator_id = "CN=r"
            initiator_match = *
            responder_id="C=CH, O=strongSwan, CN=vpntest.x.com"
            issuer_cert = /etc/ipsec.d/cacerts/caCert.pem
            issuer_key = /home/mbangad/caKey.pem
            #ca_dir = /path/to/trustchain/certs
            # do not delete the IKE_SA after it has been established
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no
            initiator_ts =


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150211/9530c40c/attachment.html>

More information about the Dev mailing list