[strongSwan] [help] Having trouble on load test

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Aug 5 13:12:02 CEST 2011 

Martin Willi <martin at ...> writes:

> 
> Hi,
> 
> > the load-tester plugin is for the client side only 
> 
> You can actually use the configuration provided by load-tester on the
> server side. However, often you want to test real-world setups with it,
> so using a ipsec.conf based configuration probably makes more sense.
> 
> >     plugins {
> >         load_tester {
> >             [...]
> >             pool = 10.0.0.0/24
> >         }
> >     }
> 
> You can define a pool to use for load testing, but only its name.
> Defining a pool "10.0.0.0/24" in ipsec.conf implicitly creates an
> in-memory pool (implemented in the stroke plugin) and uses it for that
> configuration.
> If you define a pool name in the load_tester plugin, someone has to
> provide a pool with such a name (e.g. the sql or the stroke plugin).
> 
> Regards
> Martin
> 

Hi

If this helps. I got it working using the following procedure/steps. Hope it 
works for you too:

1. you will need to first access the following link

http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/pl
ugins/load_tester/load_tester_creds.c

and then 

- copy the RSA private-key into 2 files and name them "initiator_key.pem" 
and "responder_key.pem"

- copy the self-signed cert into 3 files and name 
them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem"

On the Initiator GW/PC/Machine
--------------------------------
- Please note that the load-tester plugin can only act in and as a road-warrior-
client simulator mode. So you should be enabling the load-tester plugin on only 
the initiator linux-machine running the strongswan package

- The ipsec.conf file on this initiator is NEVER used or NOT required just 
comment out all config statments

- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the 
respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder

- in the ipsec.secrets file, include the statement 
: RSA initiator_key.pem

- The strongswan.conf file should be as below:

------------------------------------------
charon {
    reuse_ikesa = no
    threads = 32

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # example: 10 connections, 5 in parallel
            initiators = 5
            iterations = 2
            # use a delay of 100ms, overall time is: iterations * delay = 100s
            delay = 100
            # address of the gateway
            remote = 172.17.10.10
            # IKE-proposal to use
            proposal = aes128-sha1-modp1024
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            # do not delete the IKE_SA after it has been established (default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no
        }
    }
}
-----------------------------------------------------------

On the Responder GW/PC/Machine
******************************
- do not enable load-tester plugin here. just configure this machine as a Road-
Warrior-VPN-Server

- the ipsec.conf file shoule be as below:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
	strictcrlpolicy=no
	crlcheckinterval=180
	plutostart=no
	charonstart=yes

conn %default
	ikelifetime=60m
	keylife=30m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev2
	mobike=no

conn rw-server
	left=172.17.10.10
	leftsubnet=192.168.20.0/24
	right=%any
	rightsourceip=10.3.0.0/16
	leftid="CN=srv, OU=load-test, O=strongSwan"
	leftcert=respcert.pem
	authby=pubkey
	keyexchange=ikev2
	type=tunnel
	auto=add
#

- copy the cacert.pem, responder_cert.pem and responder_key.pem to the 
respective locations under ipsec.d folder

- The ipsec.secrets file should have an entry as below:

: RSA responder_key.pem


2. That's it, now you start strongswan ipsec on both initiator and responder 
(first on this) using "ipsec start" or "ipsec start --nofork"

- you will see that as configured in the strongswan.conf, there will be 10 
IKEv2 tunnels established, but ofcourse no ipsec SAs are established, as per 
design of the plugin

- also, it did not work for me with PSK (using fqdn) as mentioned in the link 
below:
http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests

More information about the Users mailing list