[strongSwan] Issue with ECDH group using load tester plugin (strongswan 5.0.4)

Chinmaya Dwibedy ckdwibedy at yahoo.com
Fri Jan 17 11:03:53 CET 2014 

Hi All,
I am using the load tester plugin (strongswan 5.0.4) to create
thousands of IPsec tunnels. I find, the tunnel setup rate is to be 125-130
tunnels per second. To use the ECDH (foe enhanced setup rate), I built the
strongswan with. /configure --prefix /usr --sysconfdir=/etc --enable-openssl –disable-gmp
– option.  I think, these DH groups are
available with strongSwan if enabled with the openssl plugin.
I have configured the following IPsec transform sets as
follows
In conn %default section of Ipsec.conf (IKE
Responder)
ike=aes128-sha1-ecp192! 
In load-tester section of strongswan.conf (IKE Initiator)
proposal = aes128-sha1-ecp192
But when trying to run from console (using #ipsec start –nofork),
the following  error message is appeared
at IKE initiator end
"09[MGR] <load-test|1> tried to check-in and delete
nonexisting IKE_SA"
Thereafter I checked the List of registered IKE algorithms and DH group using
#ipsec listalgs and found the followings
 List of registered IKE algorithms:
   dh-group:   MODP_2048[openssl] MODP_2048_224[openssl]
MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl]
              MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl]
MODP_1024[openssl] MODP_1024_160[openssl]
              MODP_768[openssl] MODP_CUSTOM[openssl] MODP_NULL[load-tester]
  random-gen:
RNG_STRONG[random] RNG_TRUE[random] RNG_WEAK[openssl]
  nonce-gen:  [nonce]  
Similarly checked the SSL ciphers supported via OpenSSL>
ciphers command but did not find the elliptic curve Diffie-Hellman group. I am
using the Fedora Linux (2.6.33.3-85.fc13.i686) and the version of OpenSSL is 1.0.0d-fips
8 Feb 2011 .
Can anyone please suggest how to enable the Elliptic curve
Diffie–Hellman in openSSL? Please correct me if I am not in right track. Please
feel free to let me know if I have missed anything. Thanks in advance for your
support and response.
 
Regards,
Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140117/f7b19f11/attachment.html>

More information about the Users mailing list