[strongSwan] Is there any way to specify/configure different initiator_tsr for each initiator?

Chinmaya Dwibedy ckdwibedy at yahoo.com
Wed May 20 06:37:04 CEST 2015


Hi ,We useload-tester plugin (strongswan 5.2.2) to create thousands of IPsecconnections/tunnels. Here is the network setup diagram.  50.0.0.1/8 -----| 10.20.20.1 | === | 10.20.20.2 | ------ 40.0.0.1/8  X                    GW-A                           GW-B             YIn ourscenario two security gateways GW-A (IKE initiator) and GW-B (IKE responder)connects subnets X and Host Y with each other through a VPN tunnel set upbetween these two gateways. Each IKEinitiator requests a virtual IP and is being assigned with an unique IP addressby the IKE responder (with CFG_REPLY during the IKE_AUTH exchange) and CHILD SAgets created using the same. I have configured initiator_tsr to 40.0.0.1/8 (in load-tester section atSEFP-121,) and leftsubnet parameter (in ipsec.conf at GW-B). Because at GW-A , allCHILD SAs will have the same traffic selector (i.e., 40.0.0.1/8) on responderside, as proposed by initiator.Is there anyway to specify/configure different initiator_tsr for each initiator?Here goes myconfiguration  GW-A (IKEInitiator )strongswan.confcharon {        threads = 32        replay_window = 32        dos_protection = no        block_threshold=1000        cookie_threshold=1000        init_limit_half_open=25000        init_limit_job_load=25000        retransmit_timeout=30        retransmit_tries=30        install_virtual_ip=no        install_routes=no        close_ike_on_child_failure=yes        ikesa_table_size = 73728        ikesa_table_segments = 16384        reuse_ikesa = no         plugins {                 load-tester {                   enable = yes                   initiators = 5                   iterations = 50000                   delay = 5                   responder = 10.20.20.2                   proposal = aes128-sha1-modp1024                   initiator_auth = psk                   responder_auth = psk                   request_virtual_ip = yes                   initiator_tsr=40.0.0.8/32                        ike_rekey = 0                   child_rekey = 0                   delete_after_established =no                   shutdown_when_complete = no                   }               } filelog {                /var/log/charon.log {                        time_format = %b %e %T                        append = no                        default = -1                        flush_line = yes                        }                        stderr {                                 ike_name = yes                                }                        } }libstrongswan{                dh_exponent_ansi_x9_42 = no        processor {        priority_threads {           high = 8           medium = 8           critical=8         }    } }GW-B (IKE Responder)Ipsec.confconn%default        ikelifetime=24h        keylife=23h        rekeymargin=5m        keyingtries=1        keyexchange=ikev2        ike=aes128-sha1-modp1024!        mobike=no  conn gw-gw        left=10.20.20.2        leftsubnet=40.0.0.1/8        #leftsubnet=0.0.0.0/0        rightid=%any        leftauth=psk        rightsourceip=50.0.0.1/8        leftid=@srv.strongswan.org        rightauth=psk        type=tunnel        authby=secret        rekey=no        reauth=no        auto=add strongswan.confcharon {         # number of worker threads in charon        threads = 32        replay_window = 32        dos_protection = no        block_threshold=1000        cookie_threshold=1000        init_limit_half_open=25000        init_limit_job_load=25000        half_open_timeout=1000        close_ike_on_child_failure=yes        ikesa_table_size = 73728        ikesa_table_segments = 16384        reuse_ikesa = noplugins {                         }        filelog {                /var/log/charon.log {                        time_format = %b %e %T                                    append = no                             default = -1                        # flush each line todisk                        flush_line = yes                        }                        stderr {                                      ike_name = yes                                }                        }         # ...}libstrongswan{         dh_exponent_ansi_x9_42 = no        processor {        priority_threads {           high = 8           medium = 8           critical=8         }    } } Regards,Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150520/bac009df/attachment-0001.html>


More information about the Users mailing list