[strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Mon Jul 18 12:22:24 CEST 2011
Hi
I need some help from you all on the following issue:
1. I have a setup using Racoon (ikev1 only) between 2 Peer Gws (Linux
servers) and i needed to have about 1000 ipsec tunnels between them (i.e it
would come to 2000 ipsec/esp SAs with 1 IKE SA between the peer gws). I did
this using the following script for the setkey policy files on the initiator
and the responder gw
------------------------------------------------------------
#! /bin/sh
echo "#!/usr/sbin/setkey -f" >> initracoon1000
echo "flush;" >> initracoon1000
echo "spdflush;" >> initracoon1000
echo "#!/usr/sbin/setkey -f" >> respracoon1000
echo "flush;" >> respracoon1000
echo "spdflush;" >> respracoon1000
for ((i=1;i<5;i++))
do
for ((j=3;j<255;j++))
do
echo "spdadd 192.168.1.2/32 172.20.$i.$j/32 any -P out ipsec
esp/tunnel/1.1.1.1-1.1.1.2/unique;" >> initracoon1000
echo "spdadd 172.20.$i.$j/32 192.168.1.2/32 any -P in ipsec
esp/tunnel/1.1.1.2-1.1.1.1/unique;" >> initracoon1000
echo "spdadd 192.168.1.2/32 172.20.$i.$j/32 any -P in ipsec
esp/tunnel/1.1.1.1-1.1.1.2/unique;" >> respracoon1000
echo "spdadd 172.20.$i.$j/32 192.168.1.2/32 any -P out ipsec
esp/tunnel/1.1.1.2-1.1.1.1/unique;" >> respracoon1000
done
done
---------------------------------------------------------------------
The above is somewhat a crude attempt to generate 1000 ipsec SAs. I used
spirent testcenter to simulate the multiple protected hosts behind the 2
ipsec/ike peer gws.
But with racoon/setkey combo i see that it works somewhat. I am able to
reach the targetted 1000 tunnels
2). So my question and the request for help is: How to do the above scenario
using Strongswan?
- do i script each "conn tunnel-sa1" so that i will have a ipsec.conf file
with 1 default conn entry (which will be used for the ike sa) and about 1000
additional conn entries between each pair of 1000 hosts behind the ipsec
peer gws?
- is there a better way and a simple and elegant way to simulate 1000
tunnels (2000 SAs)?
- i am interested in using IKEv2 only
- is there a keyword to use in strongswan ipsec config similar to "unique"
in racoon/setkey, which would trigger a new ipsec SA?
thanks
Rajiv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110718/b0948c51/attachment.html>
More information about the Users
mailing list