[strongSwan] multiple ipsec tunnels (multiple ipsec/esp SAs between 2 peer gws with 1 IKE SA)

Martin Willi martin at strongswan.org
Fri Jul 29 14:04:45 CEST 2011


> - What is the meaning of "initiators=10 and iterations=100". i would
> think that for simulating establishment of 1000 simultaneous tunnels i
> would want 1000 initiators to be running right? Why only 10 and
> running them 100 times?

"initiators" defines the number of threads. Each thread initiates
"iterations" connections. More initiators means more parallelism. Make
sure to have enough threads defined with the charon "threads" option
(roughly at least 10 + initiators).

> - what will be the configuration in "ipsec.conf"? will there be a
> ipsec.conf file used for this load-test scenario on the
> rw-client-simulator pc.

No, the load-tester works independently from any ipsec.conf
configuration. It provides a dynamic configuration and credential

> - So this means that the "ipsec.secrets" file will be used? right? any
> sample file for this load-test scenario for say simulating 1000
> tunnels/clients?

A single PSK can be defined in the load-tester configuration using the
"preshared_key" option. But you of course can rely on credentials
defined with ipsec.secrets.

> - Also iam confused as to what should be the content of the
> "ipsec.secrets" file on the rw-client-simulator for PSK with FQDN? any
> example will help because iam thinking for 1000 clients how many PSK
> statments and what FQDN to use in the ipsec.secrets file

Try it without any ipsec.secrets credentials, using the PSK provided
through load-tester is fine.
> -  Do i just use the command "ipsec start" or is there any other
> options required to be used?

As no ipsec.conf is involved, the starter is actually not required. I
prefer to launch charon directly when doing load-tests.
> - What will be the contents of the ipsec.secrets file on this server
> m/c? I mean we need to use PSK with FQDN for 1000 clients right? any
> sample ipsec.secrets file will be a tremendous help

The default PSK used by the load-tester plugin is "default-psk", but you
can override it using the option mentioned above. You can define

: PSK "default-psk"

in the responders ipsec.secrets to use it for all identities.

> request_virtual_ip = yes

Please be aware that the Linux kernel can't handle hundreds of IPs very
efficiently. Your test system will slow down if you install an IP with
each tunnel. You can avoid this by setting

charon {
	install_virtual_ip = no

in strongswan.conf on the initiating system.


More information about the Users mailing list