[strongSwan] Issues with rekeying on 5.2.2 client againse 5, 2.1 server
meenakshi bangad
mbangad at gmail.com
Tue Feb 17 19:31:14 CET 2015
Hi,
I am doing some load testing using Strong Swan as a VPN client and server
but on different machines. I was able to bring up about 200 VPN connections
on the client.
All the clients could talk to the internet and things looked fine.
Bit I see that after some time even though I have script that is generating
traffic constantly, all or some of the tunnels just vanish. Can someone
please provide an
insight?
********************
*CLIENT config:*
My ipsec.conf on client side is blank.
*/etc/strongswan.conf:*
charon {
# load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
nonce curl xauth-generic kernel-netlink socket-default updown stroke
dh_exponent_ansi_x9_42 = no
reuse_ikesa = no
threads = 32
# install_routes=no
plugins {
load-tester {
# enable the plugin
enable = yes
# 10000 connections, ten in parallel
initiators = 10
iterations = 1
# use a delay of 100ms, overall time is: iterations * delay =
100s
delay = 100
# address of the gateway (releases before 5.0.2 used the
"remote" keyword!)
responder = 10.101.248.152
# IKE-proposal to use
proposal = aes128-sha1-modp2048
esp = aes128-sha1
# use faster PSK authentication instead of 1024bit RSA
initiator_auth = pubkey|xauth
responder_auth = pubkey
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
initiator_id = "CN=conn%dround%d"
initiator_match = *
responder_id="C=CH, O=strongSwan, CN=vpntest.x.com"
issuer_cert = /etc/ipsec.d/cacerts/caCert.pem
issuer_key = /home/mbangad/caKey.pem
# do not delete the IKE_SA after it has been established
(default)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no
version=1
initiator_tsr = 0.0.0.0/0
}
}
}
********************
*********************
*Server *
*ipsec.conf:*
# ipsec.conf - strongSwan IPsec configuration file
config setup
# ipsec.conf - strongSwan IPsec configuration file
conn %default
ikelifetime=60m
conn ios
keyexchange=ikev1
fragmentation=yes
left=10.101.248.152
leftcert=serverCert.pem
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsourceip=10.10.3.0/24
rightauth=pubkey
rightauth2=xauth-radius
eap_identity=%identity
auto=add
mobike=yes
*strongswan.conf:*
strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
# load_modular = yes
dns1=8.8.8.8
dos_protection = no
threads = 32
# Two defined file loggers. Each subsection is either a file
# in the filesystem or one of: stdout, stderr.
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# loggers to files also accept the append option to open files
in
# append mode at startup (default is yes)
append = no
# the default loglevel for all daemon subsystems (defaults to
1).
default = 1
# flush each line to disk
flush_line = yes
ike_name = yes
}
}
#Radius Plugin
plugins {
eap-radius {
accounting = yes
servers {
server-a {
address = 127.0.0.1
secret = testing123
}
server-b {
address = 10.101.248.152
secret = testing123
}
}
}
}
}
*********************************
thanks,
M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150217/47d7c0d2/attachment-0001.html>
More information about the Users
mailing list