[strongSwan] Getting started with Load Test Plugin

Michael C Cambria mcc at fid4.com
Sun Aug 2 00:36:56 CEST 2015 

I'm trying to get familiar with the load test plugin.  To start, I'm 
trying the self test [ 
https://wiki.strongswan.org/projects/strongswan/wiki/LoadTests#Testing-against-self 
]

I'm obviously doing something wrong, I can't even get one (two total if 
I understand correctly) connection up.

I setup Ubuntu 14.04 LTS on Virtual Box, enabled the plugin via 
./configure, built and installed fresh 5.3 from tarball.  Made charon 
changes in strongswan.conf as suggested on the Wiki:

root at u1404vb:/usr/local/etc# cat strongswan.conf
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
         #load_modular = yes

         # create a new IKE_SA for each CHILD_SA to simulate different 
clients
         reuse_ikesa = no
         # turn off denial of service protection
         dos_protection = no

         plugins {

         load-tester {
             # enable the plugin
             enable = yes
             # use 4 threads to initiate connections simultaneously
             #initiators = 4
             initiators = 1
             # each thread initiates 1000 connections
             #iterations = 1000
             iterations = 1
             # delay each initiation in each thread by 20ms
             delay = 20
             # fake the kernel interface to avoid SA conflicts
             fake_kernel = yes
         }

                 include strongswan.d/charon/*.conf
         }
}

include strongswan.d/*.conf
root at u1404vb:/usr/local/etc#

There are not other changes made, e.g. ipsec.conf and other files are 
exactly as they are after "make install"

syslog shows:


Aug  1 18:31:42 u1404vb charon: 00[DMN] Starting IKE charon daemon 
(strongSwan 5.3.0, Linux 3.13.0-61-generic, x86_64)
Aug  1 18:31:42 u1404vb charon: 00[CFG] loading ca certificates from 
'/usr/local/etc/ipsec.d/cacerts'
Aug  1 18:31:42 u1404vb charon: 00[CFG] loading aa certificates from 
'/usr/local/etc/ipsec.d/aacerts'
Aug  1 18:31:42 u1404vb charon: 00[CFG] loading ocsp signer certificates 
from '/usr/local/etc/ipsec.d/ocspcerts'
Aug  1 18:31:42 u1404vb charon: 00[CFG] loading attribute certificates 
from '/usr/local/etc/ipsec.d/acerts'
Aug  1 18:31:42 u1404vb charon: 00[CFG] loading crls from 
'/usr/local/etc/ipsec.d/crls'
Aug  1 18:31:42 u1404vb charon: 00[CFG] loading secrets from 
'/usr/local/etc/ipsec.secrets'
Aug  1 18:31:42 u1404vb charon: 00[CFG]   loaded RSA private key from 
'/usr/local/etc/ipsec.d/private/myKey.der'
Aug  1 18:31:42 u1404vb charon: 00[LIB] loaded plugins: charon aes des 
rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac 
attr load-tester kernel-netlink resolve socket-default stroke updown 
xauth-generic
Aug  1 18:31:42 u1404vb charon: 00[JOB] spawning 16 worker threads
Aug  1 18:31:42 u1404vb charon: 13[IKE] initiating IKE_SA load-test[1] 
to 127.0.0.1
Aug  1 18:31:42 u1404vb charon: 13[ENC] generating IKE_SA_INIT request 0 
[ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug  1 18:31:42 u1404vb charon: 13[NET] sending packet: from 
127.0.0.1[500] to 127.0.0.1[500] (288 bytes)
Aug  1 18:31:42 u1404vb charon: 12[NET] received packet: from 
127.0.0.1[500] to 127.0.0.1[500] (288 bytes)
Aug  1 18:31:42 u1404vb charon: 12[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug  1 18:31:42 u1404vb charon: 12[IKE] 127.0.0.1 is initiating an IKE_SA
Aug  1 18:31:42 u1404vb charon: 12[IKE] sending cert request for 
"CN=srv, OU=load-test, O=strongSwan"
Aug  1 18:31:42 u1404vb charon: 12[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Aug  1 18:31:42 u1404vb charon: 12[NET] sending packet: from 
127.0.0.1[500] to 127.0.0.1[500] (321 bytes)
Aug  1 18:31:42 u1404vb charon: 03[NET] received packet: from 
127.0.0.1[500] to 127.0.0.1[500] (321 bytes)
Aug  1 18:31:42 u1404vb charon: 03[ENC] parsed IKE_SA_INIT response 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Aug  1 18:31:42 u1404vb charon: 03[IKE] received IKE_SA_INIT response, 
but expected EXCHANGE_TYPE_UNDEFINED
Aug  1 18:31:46 u1404vb charon: 04[IKE] retransmit 1 of request with 
message ID 0
Aug  1 18:31:46 u1404vb charon: 04[NET] sending packet: from 
127.0.0.1[500] to 127.0.0.1[500] (288 bytes)
Aug  1 18:31:46 u1404vb charon: 06[NET] received packet: from 
127.0.0.1[500] to 127.0.0.1[500] (288 bytes)
Aug  1 18:31:46 u1404vb charon: 06[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Aug  1 18:31:46 u1404vb charon: 06[IKE] 127.0.0.1 is initiating an IKE_SA
Aug  1 18:31:46 u1404vb charon: 06[IKE] sending cert request for 
"CN=srv, OU=load-test, O=strongSwan"
Aug  1 18:31:46 u1404vb charon: 06[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Aug  1 18:31:46 u1404vb charon: 06[NET] sending packet: from 
127.0.0.1[500] to 127.0.0.1[500] (321 bytes)
Aug  1 18:31:46 u1404vb charon: 05[MGR] ignoring request with ID 0, 
already processing
Aug  1 18:32:12 u1404vb charon: 10[JOB] deleting half open IKE_SA after 
timeout
Aug  1 18:32:16 u1404vb charon: 07[JOB] deleting half open IKE_SA after 
timeout

root at u1404vb:/usr/local/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.13.0-61-generic, 
x86_64):
   uptime: 2 minutes, since Aug 01 18:31:42 2015
   malloc: sbrk 2297856, mmap 0, used 263472, free 2034384
   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 0
   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey 
pem fips-prf gmp xcbc cmac hmac attr load-tester kernel-netlink resolve 
socket-default stroke updown xauth-generic
Listening IP addresses:
   172.16.8.64
Connections:
    load-test:  127.0.0.1...0.0.0.0  IKEv1/2
    load-test:   local:  [CN=srv, OU=load-test, O=strongSwan] uses 
public key authentication
    load-test:   remote: [CN=*, OU=load-test, O=strongSwan] uses public 
key authentication
    load-test:   child:  dynamic === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
   none
root at u1404vb:/usr/local/etc# ipsec --version
Linux strongSwan U5.3.0/K3.13.0-61-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
root at u1404vb:/usr/local/etc#


I'm sure I'm missing something.

Any help appreciated

Thanks,
MikeC

More information about the Users mailing list