[strongSwan] [help] Having trouble on load test

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Aug 5 13:12:02 CEST 2011

Martin Willi <martin at ...> writes:

> Hi,
> > the load-tester plugin is for the client side only 
> You can actually use the configuration provided by load-tester on the
> server side. However, often you want to test real-world setups with it,
> so using a ipsec.conf based configuration probably makes more sense.
> >     plugins {
> >         load_tester {
> >             [...]
> >             pool =
> >         }
> >     }
> You can define a pool to use for load testing, but only its name.
> Defining a pool "" in ipsec.conf implicitly creates an
> in-memory pool (implemented in the stroke plugin) and uses it for that
> configuration.
> If you define a pool name in the load_tester plugin, someone has to
> provide a pool with such a name (e.g. the sql or the stroke plugin).
> Regards
> Martin


If this helps. I got it working using the following procedure/steps. Hope it 
works for you too:

1. you will need to first access the following link


and then 

- copy the RSA private-key into 2 files and name them "initiator_key.pem" 
and "responder_key.pem"

- copy the self-signed cert into 3 files and name 
them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem"

On the Initiator GW/PC/Machine
- Please note that the load-tester plugin can only act in and as a road-warrior-
client simulator mode. So you should be enabling the load-tester plugin on only 
the initiator linux-machine running the strongswan package

- The ipsec.conf file on this initiator is NEVER used or NOT required just 
comment out all config statments

- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the 
respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder

- in the ipsec.secrets file, include the statement 
: RSA initiator_key.pem

- The strongswan.conf file should be as below:

charon {
    reuse_ikesa = no
    threads = 32

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # example: 10 connections, 5 in parallel
            initiators = 5
            iterations = 2
            # use a delay of 100ms, overall time is: iterations * delay = 100s
            delay = 100
            # address of the gateway
            remote =
            # IKE-proposal to use
            proposal = aes128-sha1-modp1024
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            # do not delete the IKE_SA after it has been established (default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no

On the Responder GW/PC/Machine
- do not enable load-tester plugin here. just configure this machine as a Road-

- the ipsec.conf file shoule be as below:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

conn rw-server
	leftid="CN=srv, OU=load-test, O=strongSwan"

- copy the cacert.pem, responder_cert.pem and responder_key.pem to the 
respective locations under ipsec.d folder

- The ipsec.secrets file should have an entry as below:

: RSA responder_key.pem

2. That's it, now you start strongswan ipsec on both initiator and responder 
(first on this) using "ipsec start" or "ipsec start --nofork"

- you will see that as configured in the strongswan.conf, there will be 10 
IKEv2 tunnels established, but ofcourse no ipsec SAs are established, as per 
design of the plugin

- also, it did not work for me with PSK (using fqdn) as mentioned in the link 

More information about the Users mailing list