[strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Fri Jul 29 13:45:37 CEST 2011 

Hi Tobias

Thanks for the reply.

No, i did not know of the load-tester plugin till you told me about it. I
followed your advice and started setting up the load-tester plugin with
strongswan-4.5.2 on Linux-Fedora servers

- As mentioned in one of the mail-list on Load-Tester plugin, I have
assgined one linux-box for simulating the road-warrior-clients and the other
as the rw-server

- Now On the rw-client-simulator, i have setup the following:

strongswan.conf file
------------------------
....
....
charon {
    reuse_ikesa = no
    threads = 32

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # 1000 connections, ten in parallel
            initiators = 10
            iterations = 100
            # use a delay of 100ms, overall time is: iterations * delay =
100s
            delay = 100
            # address of the gateway
            remote = 192.168.0.1
            # IKE-proposal to use
            proposal = aes128-sha1-modp1024
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = psk
            responder_auth = psk
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            # do not delete the IKE_SA after it has been established
(default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no
        }
    }
}
...
...
Now,here i request for some help and clarfication as iam unable to
understand the exact usage and flow of the load-test scenario:

-------------------------------------------
on the rw-client-simulator pc
-------------------------------------------

- What is the meaning of "initiators=10 and iterations=100". i would think
that for simulating establishment of 1000 simultaneous tunnels i would want
1000 initiators to be running right? Why only 10 and running them 100 times?

- Would the initiators change after every 10th tunnel is
established?....????? or what???

- what will be the configuration in "ipsec.conf"? will there be a ipsec.conf
file used for this load-test scenario on the rw-client-simulator pc.

- The wiki page on load-test plugin says
"For PSK authentication, FQDN identities are used. The server uses *
srv.strongswan.org*, the client uses an identity in the form *
c1-r1.strongswan.org"*
**
- So this means that the "ipsec.secrets" file will be used? right? any
sample file for this load-test scenario for say simulating 1000
tunnels/clients?

- Also iam confused as to what should be the content of the "ipsec.secrets"
file on the rw-client-simulator for PSK with FQDN? any example will help
because iam thinking for 1000 clients how many PSK statments and what FQDN
to use in the ipsec.secrets file

-  Do i just use the command "ipsec start" or is there any other options
required to be used?

----------------------------------------------------------------------
On the RW-Server (RoadWarrior-Server) Machine:
-----------------------------------------------------------------------

Once again as adviced in one of the mail-list response on load-tester plugin
query , On the rw-server-simulator pc, iam using the following:

- I have NOT configured anything in the strongswan.conf file i.e as adviced
i have not enabled the load-tester plugin on the server. Is this correct?

- Now the configurations:

ipsec.conf file

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
      crlcheckinterval=180
      strictcrlpolicy=no
      plutostart=no
       charonstart=yes

conn %default
         ikelifetime=60m
         keylife=20m
         rekeymargin=3m
         keyingtries=1
         keyexchange=ikev2
         mobike=no

conn rw
        left=192.168.0.1
        leftsubnet=10.1.0.0/16
        right=%any
        rightsourceip=10.3.0.0/28
        auto=add
        authby=secret

- I feel that iam still missing some more important configurations in the
ipsec.conf file on this server

- What will be the contents of the ipsec.secrets file on this server m/c? I
mean we need to use PSK with FQDN for 1000 clients right? any sample
ipsec.secrets file will be a tremendous help


I am stuck at this point of setup and i would be greatful for your help and
advice

thanks & regards
rajiv

On Mon, Jul 18, 2011 at 7:44 PM, Tobias Brunner <tobias at strongswan.org>wrote:

> Hi Rajiv,
>
> > - is there a better way and a simple and elegant way to simulate 1000
> > tunnels (2000 SAs)?
>
> Did you already have a look at the load-tester plugin [1]?
>
> Regards,
> Tobias
>
> [1] http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110729/6e67e38f/attachment.html>

More information about the Users mailing list