[strongSwan] Issues with rekeying on 5.2.2 client againse 5, 2.1 server

meenakshi bangad mbangad at gmail.com
Tue Feb 17 19:31:14 CET 2015


Hi,

I am doing some load testing using Strong Swan as a VPN client and server
but on different machines. I was able to bring up about 200 VPN connections
 on the client.
All the clients could talk to the internet and things looked fine.

Bit I see that after some time even though I have script that is generating
traffic constantly, all or some of the tunnels just vanish. Can someone
please provide an
insight?
********************
*CLIENT config:*
My ipsec.conf on client side is blank.

*/etc/strongswan.conf:*
charon {
#   load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
nonce curl xauth-generic kernel-netlink socket-default updown stroke

    dh_exponent_ansi_x9_42 = no
    reuse_ikesa = no
    threads = 32

   # install_routes=no

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # 10000 connections, ten in parallel
            initiators = 10
            iterations = 1
            # use a delay of 100ms, overall time is: iterations * delay =
100s
            delay = 100
            # address of the gateway (releases before 5.0.2 used the
"remote" keyword!)
            responder = 10.101.248.152
            # IKE-proposal to use
            proposal = aes128-sha1-modp2048
            esp = aes128-sha1
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey|xauth
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60

            initiator_id = "CN=conn%dround%d"
            initiator_match = *
            responder_id="C=CH, O=strongSwan, CN=vpntest.x.com"
            issuer_cert = /etc/ipsec.d/cacerts/caCert.pem
            issuer_key = /home/mbangad/caKey.pem

            # do not delete the IKE_SA after it has been established
(default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no
            version=1
            initiator_tsr = 0.0.0.0/0
        }
    }
}
********************

*********************
*Server *

*ipsec.conf:*
# ipsec.conf - strongSwan IPsec configuration file

config setup

# ipsec.conf - strongSwan IPsec configuration file
conn %default
  ikelifetime=60m


conn ios
    keyexchange=ikev1
    fragmentation=yes
    left=10.101.248.152
    leftcert=serverCert.pem
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    right=%any
    rightsourceip=10.10.3.0/24
    rightauth=pubkey
    rightauth2=xauth-radius
    eap_identity=%identity
    auto=add
    mobike=yes

*strongswan.conf:*

 strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
   #  load_modular = yes
    dns1=8.8.8.8
    dos_protection = no

    threads = 32

    # Two defined file loggers. Each subsection is either a file
    # in the filesystem or one of: stdout, stderr.
    filelog {
        /var/log/charon.log {
            # add a timestamp prefix
            time_format = %b %e %T
            # loggers to files also accept the append option to open files
in
            # append mode at startup (default is yes)
            append = no
            # the default loglevel for all daemon subsystems (defaults to
1).
            default = 1
            # flush each line to disk
            flush_line = yes
ike_name = yes
        }
    }

    #Radius Plugin
    plugins {
       eap-radius {
           accounting = yes
           servers {
               server-a {
                   address = 127.0.0.1
                   secret = testing123
               }
               server-b {
                   address = 10.101.248.152
                   secret = testing123
               }
           }
       }
   }
}

*********************************

thanks,

M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150217/47d7c0d2/attachment-0001.html>


More information about the Users mailing list