[strongSwan] Strongswan IKEv2 Performance (Tunnel Establishment rate per second)

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Mon Jun 18 18:28:03 CEST 2012

Hello Martin,

Thanks for your reply.

Could you please validate the methodology used by me to do the performance
characterization for IKEv2 as below. I tried with a sample 500 ipsec
tunnels establishment test

Based on your response, i tried a test method to measure the tunnel
establishment rate with IKEv2 using the following scripts and steps below:

A) The Test setup topology is as below:

B) The Test script to generate the ipsec.conf files for GW1 (ipsecgw1) and
GW2 (ipsecgw2)  is as below:
echo "#/etc/ipsec.conf - strongSwan IPsec configuration file" >> ipsecgw1
echo "" >> ipsecgw1
echo "config setup" >> ipsecgw1
echo "        strictcrlpolicy=no" >> ipsecgw1
echo "        crlcheckinterval=180" >> ipsecgw1
echo "        plutostart=yes" >> ipsecgw1
echo "        charonstart=yes" >> ipsecgw1
echo "        nat_traversal=yes" >> ipsecgw1
echo "" >> ipsecgw1
echo "conn %default" >> ipsecgw1
echo "        ikelifetime=24h" >> ipsecgw1
echo "        keylife=12h" >> ipsecgw1
echo "        rekeymargin=3m" >> ipsecgw1
echo "        keyingtries=1" >> ipsecgw1
echo "        mobike=no" >> ipsecgw1
echo "        left=" >> ipsecgw1
echo "        leftsubnet=" >> ipsecgw1
echo "        right=" >> ipsecgw1
echo "        rightsubnet=" >> ipsecgw1
echo "        authby=secret" >> ipsecgw1
echo "        type=tunnel" >> ipsecgw1
echo "        keyexchange=ikev2" >> ipsecgw1
echo "        ike=3des-sha1-modp1024" >> ipsecgw1
echo "        esp=3des-sha1" >> ipsecgw1
echo "        reauth=no" >> ipsecgw1
echo "        pfs=no" >> ipsecgw1
for ((i=1;i<501;i++))
echo "" >> ipsecgw1
echo "conn tunnel$i" >> ipsecgw1
echo "        leftprotoport=17/$q" >> ipsecgw1
echo "        rightprotoport=17/$x" >> ipsecgw1
echo "        auto=route" >> ipsecgw1
q=`expr ${q} + 1`;
echo "#/etc/ipsec.conf - strongSwan IPsec configuration file" >> ipsecgw2
echo "" >> ipsecgw2
echo "config setup" >> ipsecgw2
echo "        strictcrlpolicy=no" >> ipsecgw2
echo "        crlcheckinterval=180" >> ipsecgw2
echo "        plutostart=yes" >> ipsecgw2
echo "        charonstart=yes" >> ipsecgw2
echo "        nat_traversal=yes" >> ipsecgw2
echo "" >> ipsecgw2
echo "conn %default" >> ipsecgw2
echo "        ikelifetime=24h" >> ipsecgw2
echo "        keylife=12h" >> ipsecgw2
echo "        rekeymargin=3m" >> ipsecgw2
echo "        keyingtries=1" >> ipsecgw2
echo "        mobike=no" >> ipsecgw2
echo "        left=" >> ipsecgw2
echo "        leftsubnet=" >> ipsecgw2
echo "        right=" >> ipsecgw2
echo "        rightsubnet=" >> ipsecgw2
echo "        authby=secret" >> ipsecgw2
echo "        type=tunnel" >> ipsecgw2
echo "        keyexchange=ikev2" >> ipsecgw2
echo "        ike=3des-sha1-modp1024" >> ipsecgw2
echo "        esp=3des-sha1" >> ipsecgw2
echo "        reauth=no" >> ipsecgw2
echo "        pfs=no" >> ipsecgw2
for ((j=1;j<501;j++))
echo "" >> ipsecgw2
echo "conn tunnel$j" >> ipsecgw2
echo "        rightprotoport=17/$q" >> ipsecgw2
echo "        leftprotoport=17/$x" >> ipsecgw2
echo "        auto=route" >> ipsecgw2
q=`expr ${q} + 1`;

C) The contents of the ipsec.secrets file is as below:

#/etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "123456"
D) The script to generate the traffic from PC1 to PC2 using "sendip" is as


echo "starting to send udp traffic.."
echo "sending traffic .."
for ((i=1;i<501;i++))
sendip -p ipv4 -p udp -us $q -ud 7 -is
q=`expr ${q} + 1`;
echo "next iteration.."
echo "ending traffic.."

E) Now the steps for running this test is as below:

note: PC1 and PC2 are linux PCs

1. Save the traffic-gen script to a file "sendip-ipsec500.conf" on PC1
2. stop/disable any iptables or firewall services
3. Ensure that you have installed sendip package/app on this PC
1. Very Importantly, make sure you have enabled and started the echo-dgram
(udp port 7) service on this PC.
2. Its in /etc/xinetd.d/
3. stop/disable any iptables or firewall services

GW1 config
* Make sure you disable IPTables
# iptables -F
# iptables -F -t nat
then do the steps below:
1. Execute the script "testipsec1.conf"
2. copy the file "ipsecgw1" to the ipsec.conf file (wherever it is located)
on GW1
3. copy the "ipsec.secrets" (with PSK auth entry) file to the location
where it should be on GW1
4. start ipsec by executing the command "ipsec start"
GW2 config
* Make sure you disable IPTables
# iptables -F
# iptables -F -t nat
then do the steps below:
1. Execute the script "testipsec1.conf"
2. copy the file "ipsecgw2" to the ipsec.conf file (wherever it is located)
on GW1
3. copy the "ipsec.secrets" (with PSK auth entry) file to the location
where it should be on GW1
4. start ipsec by executing the command "ipsec start"
General Steps to start measuring the tunnel rate
1. On GW1, execute the following on the console/cli prompt, before you
start sending traffic from PC1
while :
>ipsec status | grep INSTALLED | wc
>sleep 5

2. On PC1, start sending the traffic by executing the script as below:
while :
The traffic will be sent continuously now

3. Meanwhile start observinng on GW1, the num of tunnels created every 5
seconds. The "INSTALLED" keyword/pattern occurs in the "ipsec status"  for
every ipsec/esp tunnel created, so you should have 500 for 500 tunnels
4. Observe on GW1 and calculate the difference between the number of
tunnels for every 5 second iteration  and divide by 5 to get per second
tunnel establishment rate

1. We can edit the testipsec1.conf file for any number of tunnels and
generate the conf files for GW1 and GW2.

F) Just FYI, my tests on OpenWRT GWs using strongswan-4.3.6 is resulting in
an average of 10-11 tunnels per second, if the above method and
calculations are correct

So awaiting your reply on the correctness of the methodology followed above

thanks & regards

On Mon, Jun 18, 2012 at 12:16 PM, Martin Willi <martin at strongswan.org>wrote:

> Hi,
> > I need to run a performance test for finding out IKEv2 Tunnel
> > Establishment Rate (no of tunnels per second), i have a DUT running
> > strongswan-4.3.6 on OpenWRT.
> >
> > How to do this? I have tried with Load-Tester Plugin setup, but that's
> > just load. How to find out the rate of tunnels established?
> We currently don't have a functionality to automatically measure the
> tunnel setup rate.
> The load-tester plugin establishes IKE_SAs with a configured rate. If
> you increase this rate between different tests and monitor the
> responder, you should see when packets get dropped because it is
> overloaded.
> Regards
> Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120618/c702bdf7/attachment.html>

More information about the Users mailing list