[strongSwan] Issue with net-net scenario with load-tester plugin (using strongSwan 5.0.4)

Chinmaya Dwibedy ckdwibedy at yahoo.com
Mon Aug 26 10:11:30 CEST 2013 

Hi ,
 
I am using load-tester plugin to create one thousands of IPsec connections/tunnels. In our scenario two security gateways A (IKE initiator) and B (IKE responder) will connect the two subnets X and Y with each other through a VPN tunnel set up between the two gateways. I found, each IKE initiator is assigned with an unique IP address by the IKE responder (with CFG_REPLY during the IKE_AUTH exchange) and IPsec/child SA are created using the same. But  what I see with load-tester is that TSr is by default the remote IP  address (as it is configured in strongswan.conf). It does not take the leftsubnet parameter (configured in ipsec.conf at gateway B).  I think, it's not supported. Can anyone please confirm? I need to send the traffic from  host behind Y to host behind X and vice-versa via IPsec tunnels established between A and B. Is there any way to accomplish the same? Do I need to modify the source codes? Any pointer in this regard will be highly
 appreciated.
 
Thanks in advance for your support.
 
10.0.0.0/8 -- | 30.30.30.11 | === | 30.30.30.21 | -- 40.0.0.0/8
  X             A                B             Y

Configuration on gateway  A:
 
strongswan.conf
 
        threads = 16
        replay_window = 32
        dos_protection = no
        block_threshold=1000
        cookie_threshold=1000
        init_limit_half_open=1000
        retransmit_timeout=60
        retransmit_tries=30
        install_virtual_ip=no
        install_routes=no
        close_ike_on_child_failure=yes
        ikesa_table_size = 512
        ikesa_table_segments = 16
        reuse_ikesa = no
  
 
 
load-tester {
    enable = yes
                   initiators = 10
                   iterations = 100
                   delay = 20
                   responder = 30.30.30.21
                   proposal = aes128-sha1-modp1024
                   initiator_auth = psk
                   responder_auth = psk
                   request_virtual_ip = yes
                   ike_rekey = 0
    child_rekey = 0
                   delete_after_established = no
                   shutdown_when_complete = no

                  }

Configuration on gateway  B:
 
strongswan.conf
        
        threads = 16
        replay_window = 32
        block_threshold=1000
        cookie_threshold=1000
        init_limit_half_open=1000
        half_open_timeout=1000
        dos_protection = no
        install_virtual_ip=no
        install_routes=no
        close_ike_on_child_failure=yes
        ikesa_table_size = 512
       ikesa_table_segments = 16
        reuse_ikesa = no
 
ipsec.conf
 
conn %default
        ikelifetime=24h
        keylife=23h
        rekeymargin=5m
        keyingtries=1
        keyexchange=ikev2
        ike=aes128-sha1-modp1024!
        mobike=no

conn host-host
        left=30.30.30.21
        leftsubnet=40.0.0.0/8
        rightid=%any
        leftauth=psk
        leftfirewall=yes
        rightsourceip=10.0.0.0/8
        leftid=@srv.strongswan.org
        rightauth=psk
        type=tunnel
        authby=secret
        rekey=no
        reauth=no
        auto=add
 
Regards,
Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130826/1c8c4f31/attachment.html>

More information about the Users mailing list