[strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Mon Aug 1 15:00:16 CEST 2011
Hi
I started the load-tester using settings as per advice below from Martin. I
am observing the following issue (trace from the rw-server side):
-----------------------------------------------------------------------------
15[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]
15[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
15[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org
]...172.17.10.253[c5-1.strongswan.org]
15[CFG] no matching peer config found
15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
15[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]
---------------------------------------------------------------------------
- So as per the advice below, i had used the default-psk auth secret as
configured below in the ipsec.secrets file on the rw-server:
: PSK "default-psk"
- On the rw-server i used the following ipsec.conf file settings and i
started ipsec using "ipsec start"
--------------------------------------
[root at dvtpc1 etc]# cat ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
crlcheckinterval=180
plutostart=yes
charonstart=yes
nat_traversal=yes
conn %default
ikelifetime=60m
keylife=30m
rekeymargin=3m
keyingtries=1
mobike=no
conn rw-server
left=172.17.10.10
leftsubnet=192.168.20.0/24
right=%any
rightsourceip=10.3.0.0/16
authby=secret
keyexchange=ikev2
type=tunnel
auto=add
#
---------------------------------------------------------
- On the load-tester-plugin enabled linux-system, i used the following
settings
--------------------------------------
[root at dvtpc3 etc]# cat strongswan.conf
# strongswan.conf - strongSwan configuration file
charon {
reuse_ikesa = no
# number of worker threads in charon
threads = 32
# send strongswan vendor ID?
# send_vendor_id = yes
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost
/database
}
load-tester {
# enable the plugin
enable = yes
# 50 connections, ten in parallel
initiators = 5
iterations = 10
# use a delay of 100ms, overall time is: iterations * delay
delay = 100
# address of the gateway
remote = 172.17.10.10
# IKE-proposal to use
proposal = aes128-sha1-modp1024
# use faster PSK authentication instead of 1024bit RSA
initiator_auth = psk
responder_auth = psk
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
# do not delete the IKE_SA after it has been established
(defaul t)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
[root at dvtpc3 etc]#
--------------------------------------------------------------------
- On the load-tester-plugin-enable system i started ipsec by using "ipsec
start --nofork" (because i do not know how to start charon directly as
suggested below :- ) sorry..i hope starting ipsec using ipsec start also is
valid for the load-tester plugin)
- Iam observing the following messages (auth failed) on the
load-tester-enabled pc:
---------------------------------
16[IKE] received AUTHENTICATION_FAILED notify error
14[IKE] authentication of 'c14-r1.strongswan.org' (myself) with pre-shared
key
14[IKE] establishing CHILD_SA load-test
14[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
14[NET] sending packet: from 172.17.10.253[500] to 172.17.10.10[500]
15[IKE] authentication of 'c12-r1.strongswan.org' (myself) with pre-shared
key
17[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]
17[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
17[IKE] received AUTHENTICATION_FAILED notify error
15[IKE] establishing CHILD_SA load-test
15[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
15[NET] sending packet: from 172.17.10.253[500] to 172.17.10.10[500]
18[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]
18[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
19[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]
19[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
19[IKE] received AUTHENTICATION_FAILED notify error
22[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]
22[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
18[IKE] authentication of 'c15-r1.strongswan.org' (myself) with pre-shared
key
18[IKE] establishing CHILD_SA load-test
18[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
N(MULT_AUTH) N(EAP_ONLY) ]
18[NET] sending packet: from 172.17.10.253[500] to 172.17.10.10[500]
23[NET] received packet: from 172.17.10.10[500] to 172.17.10.253[500]
23[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
23[IKE] received AUTHENTICATION_FAILED notify error
------------------------------------------------------------------------------------------
so i guess, the default psk auth expected is still based on fqdn values and
not the "default-psk" secret value. Can you suggest where should i edit for
enabling the default-psk value for psk auth to work
thanks for your time and for your help
with regards
rajiv
>>fromMartin Willi martin at strongswan.org
>>toRajiv Kulkarni <rajivkulkarni69 at gmail.com>
>>ccusers at lists.strongswan.org
>>dateFri, Jul 29, 2011 at 5:34 PM
>>subjectRe: [strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs
between 2 peer >>gws with 1 IKE SA)
>>Important mainly because of your interaction with messages in the
conversation.
>>Hi,
> - What is the meaning of "initiators=10 and iterations=100". i would
> think that for simulating establishment of 1000 simultaneous tunnels i
> would want 1000 initiators to be running right? Why only 10 and
> running them 100 times?
"initiators" defines the number of threads. Each thread initiates
"iterations" connections. More initiators means more parallelism. Make
sure to have enough threads defined with the charon "threads" option
(roughly at least 10 + initiators).
> - what will be the configuration in "ipsec.conf"? will there be a
> ipsec.conf file used for this load-test scenario on the
> rw-client-simulator pc.
No, the load-tester works independently from any ipsec.conf
configuration. It provides a dynamic configuration and credential
generation.
> - So this means that the "ipsec.secrets" file will be used? right? any
> sample file for this load-test scenario for say simulating 1000
> tunnels/clients?
A single PSK can be defined in the load-tester configuration using the
"preshared_key" option. But you of course can rely on credentials
defined with ipsec.secrets.
> - Also iam confused as to what should be the content of the
> "ipsec.secrets" file on the rw-client-simulator for PSK with FQDN? any
> example will help because iam thinking for 1000 clients how many PSK
> statments and what FQDN to use in the ipsec.secrets file
Try it without any ipsec.secrets credentials, using the PSK provided
through load-tester is fine.
> - Do i just use the command "ipsec start" or is there any other
> options required to be used?
As no ipsec.conf is involved, the starter is actually not required. I
prefer to launch charon directly when doing load-tests.
> - What will be the contents of the ipsec.secrets file on this server
> m/c? I mean we need to use PSK with FQDN for 1000 clients right? any
> sample ipsec.secrets file will be a tremendous help
The default PSK used by the load-tester plugin is "default-psk", but you
can override it using the option mentioned above. You can define
: PSK "default-psk"
in the responders ipsec.secrets to use it for all identities.
> request_virtual_ip = yes
Please be aware that the Linux kernel can't handle hundreds of IPs very
efficiently. Your test system will slow down if you install an IP with
each tunnel. You can avoid this by setting
charon {
install_virtual_ip = no
}
in strongswan.conf on the initiating system.
On Fri, Jul 29, 2011 at 5:15 PM, Rajiv Kulkarni
<rajivkulkarni69 at gmail.com>wrote:
> Hi Tobias
>
> Thanks for the reply.
>
> No, i did not know of the load-tester plugin till you told me about it. I
> followed your advice and started setting up the load-tester plugin with
> strongswan-4.5.2 on Linux-Fedora servers
>
> - As mentioned in one of the mail-list on Load-Tester plugin, I have
> assgined one linux-box for simulating the road-warrior-clients and the other
> as the rw-server
>
> - Now On the rw-client-simulator, i have setup the following:
>
> strongswan.conf file
> ------------------------
> ....
> ....
> charon {
> reuse_ikesa = no
> threads = 32
>
> plugins {
> load-tester {
> # enable the plugin
> enable = yes
> # 1000 connections, ten in parallel
> initiators = 10
> iterations = 100
> # use a delay of 100ms, overall time is: iterations * delay =
> 100s
> delay = 100
> # address of the gateway
> remote = 192.168.0.1
> # IKE-proposal to use
> proposal = aes128-sha1-modp1024
> # use faster PSK authentication instead of 1024bit RSA
> initiator_auth = psk
> responder_auth = psk
> # request a virtual IP using configuration payloads
> request_virtual_ip = yes
> # disable IKE_SA rekeying (default)
> ike_rekey = 0
> # enable CHILD_SA every 60s
> child_rekey = 60
> # do not delete the IKE_SA after it has been established
> (default)
> delete_after_established = no
> # do not shut down the daemon if all IKE_SAs established
> shutdown_when_complete = no
> }
> }
> }
> ...
> ...
> Now,here i request for some help and clarfication as iam unable to
> understand the exact usage and flow of the load-test scenario:
>
> -------------------------------------------
> on the rw-client-simulator pc
> -------------------------------------------
>
> - What is the meaning of "initiators=10 and iterations=100". i would think
> that for simulating establishment of 1000 simultaneous tunnels i would want
> 1000 initiators to be running right? Why only 10 and running them 100 times?
>
> - Would the initiators change after every 10th tunnel is
> established?....????? or what???
>
> - what will be the configuration in "ipsec.conf"? will there be a
> ipsec.conf file used for this load-test scenario on the rw-client-simulator
> pc.
>
> - The wiki page on load-test plugin says
> "For PSK authentication, FQDN identities are used. The server uses *
> srv.strongswan.org*, the client uses an identity in the form *
> c1-r1.strongswan.org"*
> **
> - So this means that the "ipsec.secrets" file will be used? right? any
> sample file for this load-test scenario for say simulating 1000
> tunnels/clients?
>
> - Also iam confused as to what should be the content of the "ipsec.secrets"
> file on the rw-client-simulator for PSK with FQDN? any example will help
> because iam thinking for 1000 clients how many PSK statments and what FQDN
> to use in the ipsec.secrets file
>
> - Do i just use the command "ipsec start" or is there any other options
> required to be used?
>
> ----------------------------------------------------------------------
> On the RW-Server (RoadWarrior-Server) Machine:
> -----------------------------------------------------------------------
>
> Once again as adviced in one of the mail-list response on load-tester
> plugin query , On the rw-server-simulator pc, iam using the following:
>
> - I have NOT configured anything in the strongswan.conf file i.e as adviced
> i have not enabled the load-tester plugin on the server. Is this correct?
>
> - Now the configurations:
>
> ipsec.conf file
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> plutostart=no
> charonstart=yes
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> mobike=no
>
> conn rw
> left=192.168.0.1
> leftsubnet=10.1.0.0/16
> right=%any
> rightsourceip=10.3.0.0/28
> auto=add
> authby=secret
>
> - I feel that iam still missing some more important configurations in the
> ipsec.conf file on this server
>
> - What will be the contents of the ipsec.secrets file on this server m/c? I
> mean we need to use PSK with FQDN for 1000 clients right? any sample
> ipsec.secrets file will be a tremendous help
>
>
> I am stuck at this point of setup and i would be greatful for your help and
> advice
>
> thanks & regards
> rajiv
>
> On Mon, Jul 18, 2011 at 7:44 PM, Tobias Brunner <tobias at strongswan.org>wrote:
>
>> Hi Rajiv,
>>
>> > - is there a better way and a simple and elegant way to simulate 1000
>> > tunnels (2000 SAs)?
>>
>> Did you already have a look at the load-tester plugin [1]?
>>
>> Regards,
>> Tobias
>>
>> [1] http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110801/190c2778/attachment.html>
More information about the Users
mailing list