[strongSwan-dev] Load-tester issue

meenakshi bangad mbangad at gmail.com
Wed Feb 11 23:11:30 CET 2015 

Hello,

routing Problems to reach out thru the tunnel using load-tester

I am trying to use the load-tester to stress test my VPN server. Using ver
5.2.2. For simplicity I am trying to bring just one connection up. My
tunnel gets
established but I am not able to ping the outside world. Here is what my ip
route shows:

I did a ipsec load-tester initiate 1 1 and got a private IP if 10.10.3.1

*# ip route show table 220*
10.101.248.152 via 10.101.248.152 dev eno16780032  proto static  src
10.10.3.1

The above line rather should be ( I would think)
default via 10.101.248.152 dev eno16780032  proto static  src 10.10.3.1

Not sure how to fix this.
*Also I see that my ipsec statusall shows everything to be /32 but i have
configured on the server for it to be /24.*
Sample output
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux
3.10.0-123.13.1.el7.x86_64, x86_64):
  uptime: 3 minutes, since Feb 11 17:02:20 2015
  malloc: sbrk 2560000, mmap 0, used 541936, free 2018064
  worker threads: 27 of 32 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon ldap pkcs11 aes des rc2 sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac ccm gcm curl attr
load-tester kernel-netlink resolve socket-default farp stroke updown
eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic
eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap
xauth-pam xauth-noauth tnc-tnccs dhcp
Listening IP addresses:
  10.101.248.153
Connections:
   load-test:  10.101.248.152...0.0.0.0  IKEv1
   load-test:   local:  [C=CH, O=strongSwan, CN=vpntest.x.com] uses public
key authentication
   load-test:   remote: [%any] uses public key authentication
   load-test:   remote: [%any] uses XAuth authentication: any with XAuth
identity '%any'
   load-test:   child:  dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
   load-test[1]: ESTABLISHED 3 minutes ago,
10.101.248.153[CN=r]...10.101.248.152[C=CH, O=strongSwan, CN=vpntest.x.com]
   load-test[1]: IKEv1 SPIs: f0850451c41b60ae_i* 245d2d63feb59e08_r,
rekeying disabled
   load-test[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
   load-test{1}:  REKEYING, TUNNEL, expires in 35 seconds
   load-test{1}:   10.10.3.1/32 === 10.101.248.152/32
   load-test{1}:  INSTALLED, TUNNEL, ESP SPIs: c712d0f2_i c00b39c3_o
   load-test{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
in 35 seconds
   load-test{1}:   10.10.3.1/32 === 10.101.248.152/32


Here is my server side ipsec.conf

conn rw
    keyexchange=ikev1
    left=10.101.248.152
    leftauth=pubkey
    leftsubnet=0.0.0.0/0
    leftid="C=CH, O=strongSwan, CN=vpntest.x.com"
    leftcert=serverCert.pem
    leftfirewall=yes
    right=%any
    rightsourceip=10.10.3.0/24
    rightauth=pubkey
    rightauth2=xauth-radius
    eap_identity=%identity
    auto=add


On the client side, my ipsec.conf is empty. Everything is configured thru
strongswan.conf .
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
#   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
nonce curl xauth-generic kernel-netlink socket-default updown stroke

    dh_exponent_ansi_x9_42 = no
    reuse_ikesa = no
    threads = 32

#    install_routes=no

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # 10000 connections, ten in parallel
            initiators = 0
            iterations = 1
            # use a delay of 100ms, overall time is: iterations * delay =
100s
            delay = 100
            # address of the gateway (releases before 5.0.2 used the
"remote" keyword!)
            responder = 10.101.248.152
            # IKE-proposal to use
            proposal = aes128-sha1-modp2048
            esp = aes128-sha1
            #proposal = aes128-sha1-modp768
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey|xauth
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            #initiator_id = "OU=MobileXpression, CN=r"
            initiator_id = "CN=r"
            initiator_match = *
            responder_id="C=CH, O=strongSwan, CN=vpntest.x.com"
            issuer_cert = /etc/ipsec.d/cacerts/caCert.pem
            issuer_key = /home/mbangad/caKey.pem
            #ca_dir = /path/to/trustchain/certs
            # do not delete the IKE_SA after it has been established
(default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no
            version=1
            initiator_ts = 10.10.3.1/24
        }
    }
}


thanks,

Meenakshi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20150211/9530c40c/attachment.html>

More information about the Dev mailing list