[strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Aug 5 12:28:51 CEST 2011


Hello Martin, all

Firstly, Thanks for all your help in using the load-tester plugin.

I finally set it up to work using pubkey/rsasig with the Certs provided in
the file:

http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c

Used the self-signed cert as cacert.pem, initiator_cert.pem,
responder_cert.pem and the rsa private key as initiator_key.pem and
responder_key.pem and copied it to the folder locations in  ./ipsec.d/..
respectively on both initiator and responder machines

On the RW-Server machine, i used the following configs:

ipsec.conf
--------------

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
 strictcrlpolicy=no
 crlcheckinterval=180
 plutostart=no
 charonstart=yes
conn %default
 ikelifetime=60m
 keylife=30m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 mobike=no
conn rw-server
 left=172.17.10.10
 leftsubnet=192.168.20.0/24
 right=%any
 rightsourceip=10.3.0.0/16
 leftid="CN=srv, OU=load-test, O=strongSwan"
 leftcert=respcert.pem
 authby=pubkey
 keyexchange=ikev2
 type=tunnel
 auto=add
#

ipsec.secrets
------------------
: RSA responder_key.pem


On the RW-Client-Simulator machine with Load-Tester Plugin enabled, i used
the following configs:

strongswan.conf
----------------------
charon {
    reuse_ikesa = no
    threads = 32
    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # example: 10 connections, 5 in parallel
            initiators = 5
            iterations = 2
            # use a delay of 100ms, overall time is: iterations * delay =
100s
            delay = 100
            # address of the gateway
            remote = 172.17.10.10
            # IKE-proposal to use
            proposal = aes128-sha1-modp1024
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            # do not delete the IKE_SA after it has been established
(default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no
        }
    }
}
-------------------------------------

ipsec.secrets
---------------------
: RSA initiator_key.pem


- so now i have the required 10 IKEv2 tunnels between the 2 peers (and i
tried without any issues with even 1000 tunnels too). so i guess it works
with certs, but somehow i could not make it work with PSK (fqdn)

- Although this load-test works, i would definitely want to know if i could
make it to work for forming multiple child-SAs (ipsec esp SAs). What i now
observe is as shown in the console traces attached. I have observed the
following messages on the RW-Server which responds to the load-tester-plugin
initiator:

----------------------------------------------------------
22[IKE] received end entity cert "CN=c4-r1, OU=load-test, O=strongSwan"
22[CFG] looking for peer configs matching 172.17.10.10[CN=srv, OU=load-test,
O=strongSwan]...172.17.10.20[CN=c4-r1, OU=load-test, O=strongSwan]
22[CFG] selected peer config 'rw-server'
22[CFG]   using certificate "CN=c4-r1, OU=load-test, O=strongSwan"
22[CFG]   using trusted ca certificate "CN=srv, OU=load-test, O=strongSwan"
22[CFG] checking certificate status of "CN=c4-r1, OU=load-test,
O=strongSwan"
22[CFG] certificate status is not available
22[CFG]   reached self-signed root ca with a path length of 0
22[IKE] authentication of 'CN=c4-r1, OU=load-test, O=strongSwan' with RSA
signature successful
21[CFG] checking certificate status of "CN=c6-r1, OU=load-test,
O=strongSwan"
21[CFG] certificate status is not available
21[CFG]   reached self-signed root ca with a path length of 0
21[IKE] authentication of 'CN=c6-r1, OU=load-test, O=strongSwan' with RSA
signature successful
21[IKE] authentication of 'CN=srv, OU=load-test, O=strongSwan' (myself) with
RSA signature successful
21[IKE] IKE_SA rw-server[1] established between 172.17.10.10[CN=srv,
OU=load-test, O=strongSwan]...172.17.10.20[CN=c6-r1, OU=load-test,
O=strongSwan]
21[IKE] scheduling reauthentication in 3329s
21[IKE] maximum IKE_SA lifetime 3509s
21[IKE] peer requested virtual IP %any
21[CFG] assigning new lease to 'CN=c6-r1, OU=load-test, O=strongSwan'
21[IKE] assigning virtual IP 10.3.0.1 to peer 'CN=c6-r1, OU=load-test,
O=strongSwan'
21[IKE] traffic selectors 172.17.10.10/32 === 0.0.0.0/0  inacceptable
21[ENC] generating IKE_AUTH response 1 [ IDr AUTH CP(ADDR) N(AUTH_LFT)
N(TS_UNACCEPT) ]
21[NET] sending packet: from 172.17.10.10[500] to 172.17.10.20[500]
22[IKE] authentication of 'CN=srv, OU=load-test, O=strongSwan' (myself) with
RSA signature successful
22[IKE] IKE_SA rw-server[3] established between 172.17.10.10[CN=srv,
OU=load-test, O=strongSwan]...172.17.10.20[CN=c4-r1, OU=load-test,
O=strongSwan]
22[IKE] scheduling reauthentication in 3385s
22[IKE] maximum IKE_SA lifetime 3565s
22[IKE] peer requested virtual IP %any
22[CFG] assigning new lease to 'CN=c4-r1, OU=load-test, O=strongSwan'
22[IKE] assigning virtual IP 10.3.0.2 to peer 'CN=c4-r1, OU=load-test,
O=strongSwan'
22[IKE] traffic selectors 172.17.10.10/32 === 0.0.0.0/0  inacceptable
22[ENC] generating IKE_AUTH response 1 [ IDr AUTH CP(ADDR) N(AUTH_LFT)
N(TS_UNACCEPT) ]
22[NET] sending packet: from 172.17.10.10[500] to 172.17.10.20[500]
----------------------------------------------------------------------------------------------------------

- will try to work more with the load-tester plugin and update if any new
observations/issues

thanks & regards
rajiv






On Tue, Aug 2, 2011 at 6:54 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>wrote:

> Hi
>
> One more followup info. On the m/c enabled with load-tester plugin and
> simulating multiple rw-clients, i have the following strongswan.conf config
> file:
>
> -----------------------------------------------------------------------------------
>  # strongswan.conf - strongSwan configuration file
> charon {
>         reuse_ikesa = no
>         # number of worker threads in charon
>         threads = 32
>         # send strongswan vendor ID?
>         # send_vendor_id = yes
>         plugins {
>                 sql {
>                         # loglevel to log into sql database
>                         loglevel = -1
>                         # URI to the database
>                         # database = sqlite:///path/to/file.db
>                         # database = mysql://user:password@localhost
> /database
>                 }
>                 load-tester {
>                  # enable the plugin
>                 enable = yes
>                 # 10000 connections, ten in parallel
>                 initiators = 5
>                 iterations = 2
>
>                 # use a delay of 100ms, overall time is: iterations * delay
> = 100s
>                 delay = 100
>                 # address of the gateway
>                 remote = 172.17.10.10
>                 # IKE-proposal to use
>                 proposal = aes128-sha1-modp1024
>                 # use faster PSK authentication instead of 1024bit RSA
>                 initiator_auth = psk
>                 responder_auth = psk
>                 # request a virtual IP using configuration payloads
>                 request_virtual_ip = yes
>                 # disable IKE_SA rekeying (default)
>                 ike_rekey = 0
>                 # enable CHILD_SA every 60s
>                 child_rekey = 60
>                 # do not delete the IKE_SA after it has been established
> (default)
>                 delete_after_established = no
>                 # do not shut down the daemon if all IKE_SAs established
>                 shutdown_when_complete = no
>         }
>
>         }
>         # ...
> }
> pluto {
> }
> libstrongswan {
>          #  set to no, the DH exponent size is optimized
>         #  dh_exponent_ansi_x9_42 = no
> }
> [root at dvtpc3 etc]#
> [root at dvtpc3 etc]#
> [root at dvtpc3 etc]# ipsec start
> Starting strongSwan 4.5.2 IPsec [starter]...
> [root at dvtpc3 etc]#
>
>
> ----------------------------------------------------------------------------------
>
> and on running th command
>
> [root at dvtpc3 etc]# ipsec start
> [root at dvtpc3 etc]# ipsec statusall
> 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo 127.0.0.1:500
> 000 interface eth0/eth0 172.17.10.253:500
> 000 interface eth2/eth2 192.168.21.1:500
> 000 %myid = '%any'
> 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem
> openssl gmp hmac xauth attr kernel-netlink resolve
> 000 debug options: none
> 000
> Status of IKEv2 charon daemon (strongSwan 4.5.2):
>   uptime: 4 seconds, since Aug 02 18:49:59 2011
>   malloc: sbrk 262144, mmap 0, used 92800, free 169344
>   worker threads: 25 idle of 32, job queue load: 0, scheduled events: 20
>   loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints
> pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac attr load-tester
> kernel-netlink resolve socket-raw stroke updown
> Listening IP addresses:
>   172.17.10.253
>   192.168.21.1
> Connections:
>    load-test:  0.0.0.0...172.17.10.10
>    load-test:   local:  [srv.strongswan.org] uses pre-shared key
> authentication
>    load-test:   remote: [*.strongswan.org] uses pre-shared key
> authentication
>    load-test:   child:  dynamic === dynamic
> Security Associations:
>   none
> [root at dvtpc3 etc]#
>
> so here it shows the local system with id as srv.strongswan.org, whereas
> it is actually supposed to be a rw-client
>
> thanks & regards
> rajiv
>
>
> On Tue, Aug 2, 2011 at 6:25 PM, Rajiv Kulkarni <rajivkulkarni69 at gmail.com>wrote:
>
>> Hi
>>
>> >>The problem is not the secret, but that no config matches on your
>> >>responder. "leftid" defaults to "left" (172.17.10.10), but actually is
>> >>srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any.
>> I did just that, i used leftid=%any on the rw-server. But when i start the
>> ipsec (ipsec start --nofork) on the load-tester-plugin enabled m/c, i still
>> get auth failed messages.
>>
>> Meanwhile on the server i get the following messages:
>>
>> -----------------------------------------------------------------------------
>> 28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]
>> 28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
>> N(MULT_AUTH) N(EAP_ONLY) ]
>> 28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org
>> ]...172.17.10.253[c6-r1.strongswan.org]
>> 28[CFG] selected peer config 'rw-server'
>> 28[IKE] tried 1 shared key for 'srv.strongswan.org' - '
>> c6-r1.strongswan.org', but MAC mismatched
>> 28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> 28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]
>> 28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500]
>> 28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr
>> N(MULT_AUTH) N(EAP_ONLY) ]
>> 28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org
>> ]...172.17.10.253[c6-r1.strongswan.org]
>> 28[CFG] selected peer config 'rw-server'
>> 28[IKE] tried 1 shared key for 'srv.strongswan.org' - '
>> c6-r1.strongswan.org', but MAC mismatched
>> 28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>> 28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500]
>>
>>
>> ------------------------------------------------------------------------------------------
>>
>> - On the rw-server, iam using the following setting in the "ipsec.secrets"
>> file
>> : PSK "default-psk"
>>
>> - and the ipsec.conf on the rw-server m/c is as below:
>> -------------------------------------------------------------------------
>>  [root at dvtpc1 etc]# cat ipsec.conf
>> # /etc/ipsec.conf - strongSwan IPsec configuration file
>> config setup
>>         strictcrlpolicy=no
>>         crlcheckinterval=180
>>         plutostart=yes
>>         charonstart=yes
>>  conn %default
>>         ikelifetime=60m
>>         keylife=30m
>>         rekeymargin=3m
>>         keyingtries=1
>>         keyexchange=ikev2
>>         mobike=no
>>  conn rw-server
>>         left=172.17.10.10
>>         leftsubnet=192.168.20.0/24
>>         leftid=%any
>>
>>         right=%any
>>         rightsourceip=10.3.0.0/16
>>         authby=psk
>>
>>         keyexchange=ikev2
>>         type=tunnel
>>         auto=add
>> #
>> --------------------------------------------
>>
>> - both the rw-server (with ipaddr 172.17.10.10/24, DGw-IP: 172.17.10.253)
>> and the rw-client (with load-tester-plugin enabled and with ipaddr
>> 172.17.10.253/24, Dgw-ip: 172.17.10.10) are connected back-to-back and
>> both are running strongswan4.5.2 on Linux-Fedora13.
>>
>>
>> so where am i going wrong
>> thanks & regards
>> rajiv
>>
>> On Tue, Aug 2, 2011 at 1:09 PM, Martin Willi <martin at strongswan.org>wrote:
>>
>>>
>>>
>>> > 15[CFG] looking for peer configs matching 172.17.10.10[
>>> srv.strongswan.org]...172.17.10.253[c5-1.strongswan.org]
>>> > 15[CFG] no matching peer config found
>>> > 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
>>>
>>>
>>> > conn rw-server
>>> >         left=172.17.10.10
>>> >         leftsubnet=192.168.20.0/24
>>> >         right=%any
>>>
>>> The problem is not the secret, but that no config matches on your
>>> responder. "leftid" defaults to "left" (172.17.10.10), but actually is
>>> srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any.
>>>
>>> Regards
>>> Martin
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110805/a56bb7ae/attachment.html>


More information about the Users mailing list