[strongSwan] Very slow IPsec tunnel setup rate using load tester plugin (strongswan 5.0.4)

Chinmaya Dwibedy ckdwibedy at yahoo.com
Tue Sep 3 13:37:10 CEST 2013


Hi All,
 I am using the load tester plugin (strongswan
5.0.4) to create 10,000 IPsec tunnels (without traffic) successfully. In order
to accomplish 10k IPsec tunnels, changed the
“/proc/sys/net/core/xfrm_acq_expires” from 165 to 9000 seconds. I have disabled
the logging by configuring the default to -1 in filelog section of
strongswan.conf at both ends. But I observed very slow IPsec tunnel setup rate
(about 5-6 tunnels per second). I found from the following web link i.e., https://lists.strongswan.org/pipermail/users/2009-December/004184.html that, Mr. Martin has measured 200+ tunnel negotiations/second (1 IKE + 1
CHILD_SA). Any suggestions are greatly appreciated.
Here goes my configuration for IKE Initiator as
well as IKE Responder.
 
IKE Initiator
strongswan.conf
      threads = 16
       replay_window =
32
       dos_protection = no
        block_threshold=9000
        cookie_threshold=9000
        init_limit_half_open=9000
        retransmit_timeout=60
        retransmit_tries=60
        install_virtual_ip=no
        install_routes=no
        close_ike_on_child_failure=yes
        ikesa_table_size
= 1024
        ikesa_table_segments = 16
        reuse_ikesa = no
ipsec.secrets
@srv.strongswan.org %any : PSK "strongSwan"
load-tester {
                   enable = yes
                   initiators = 100
                   iterations = 100
                   delay
= 20
                   responder = 30.30.30.21
                   initiator_tsr =40.0.0.1
                   proposal = aes128-sha1-modp1024
                   initiator_auth = psk
                   responder_auth = psk
                   request_virtual_ip = yes
                   ike_rekey = 0
                   child_rekey = 0
                   delete_after_established = no
                   shutdown_when_complete = no               
                  }
IKE  Responder
strongswan.conf
threads = 16
 replay_window = 32
   block_threshold=9000
  cookie_threshold=9000
   init_limit_half_open=9000
    half_open_timeout=9000
   dos_protection =
no
    close_ike_on_child_failure=yes
    ikesa_table_size
= 512
     ikesa_table_segments = 16
     reuse_ikesa = no
 
ipsec.conf
conn %default
        ikelifetime=24h
        keylife=23h
        rekeymargin=5m
        keyingtries=1
        keyexchange=ikev2
        ike=aes128-sha1-modp1024!
        mobike=no
 
conn host-host
        left=30.30.30.21
        leftsubnet=40.0.0.1/8
        rightid=%any
        leftauth=psk
        leftfirewall=yes      
      rightsourceip=10.0.0.0/8
        leftid=@srv.strongswan.org
        rightauth=psk
        type=tunnel
        authby=secret
        rekey=no
        reauth=no
        auto=add
   
Regards,
Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130903/67e23106/attachment.html>


More information about the Users mailing list