[strongSwan] Is there any way to specify/configure different initiator_tsr for each initiator?
Chinmaya Dwibedy
ckdwibedy at yahoo.com
Wed May 20 06:37:04 CEST 2015
Hi ,We useload-tester plugin (strongswan 5.2.2) to create thousands of IPsecconnections/tunnels. Here is the network setup diagram. 50.0.0.1/8 -----| 10.20.20.1 | === | 10.20.20.2 | ------ 40.0.0.1/8 X GW-A GW-B YIn ourscenario two security gateways GW-A (IKE initiator) and GW-B (IKE responder)connects subnets X and Host Y with each other through a VPN tunnel set upbetween these two gateways. Each IKEinitiator requests a virtual IP and is being assigned with an unique IP addressby the IKE responder (with CFG_REPLY during the IKE_AUTH exchange) and CHILD SAgets created using the same. I have configured initiator_tsr to 40.0.0.1/8 (in load-tester section atSEFP-121,) and leftsubnet parameter (in ipsec.conf at GW-B). Because at GW-A , allCHILD SAs will have the same traffic selector (i.e., 40.0.0.1/8) on responderside, as proposed by initiator.Is there anyway to specify/configure different initiator_tsr for each initiator?Here goes myconfiguration GW-A (IKEInitiator )strongswan.confcharon { threads = 32 replay_window = 32 dos_protection = no block_threshold=1000 cookie_threshold=1000 init_limit_half_open=25000 init_limit_job_load=25000 retransmit_timeout=30 retransmit_tries=30 install_virtual_ip=no install_routes=no close_ike_on_child_failure=yes ikesa_table_size = 73728 ikesa_table_segments = 16384 reuse_ikesa = no plugins { load-tester { enable = yes initiators = 5 iterations = 50000 delay = 5 responder = 10.20.20.2 proposal = aes128-sha1-modp1024 initiator_auth = psk responder_auth = psk request_virtual_ip = yes initiator_tsr=40.0.0.8/32 ike_rekey = 0 child_rekey = 0 delete_after_established =no shutdown_when_complete = no } } filelog { /var/log/charon.log { time_format = %b %e %T append = no default = -1 flush_line = yes } stderr { ike_name = yes } } }libstrongswan{ dh_exponent_ansi_x9_42 = no processor { priority_threads { high = 8 medium = 8 critical=8 } } }GW-B (IKE Responder)Ipsec.confconn%default ikelifetime=24h keylife=23h rekeymargin=5m keyingtries=1 keyexchange=ikev2 ike=aes128-sha1-modp1024! mobike=no conn gw-gw left=10.20.20.2 leftsubnet=40.0.0.1/8 #leftsubnet=0.0.0.0/0 rightid=%any leftauth=psk rightsourceip=50.0.0.1/8 leftid=@srv.strongswan.org rightauth=psk type=tunnel authby=secret rekey=no reauth=no auto=add strongswan.confcharon { # number of worker threads in charon threads = 32 replay_window = 32 dos_protection = no block_threshold=1000 cookie_threshold=1000 init_limit_half_open=25000 init_limit_job_load=25000 half_open_timeout=1000 close_ike_on_child_failure=yes ikesa_table_size = 73728 ikesa_table_segments = 16384 reuse_ikesa = noplugins { } filelog { /var/log/charon.log { time_format = %b %e %T append = no default = -1 # flush each line todisk flush_line = yes } stderr { ike_name = yes } } # ...}libstrongswan{ dh_exponent_ansi_x9_42 = no processor { priority_threads { high = 8 medium = 8 critical=8 } } } Regards,Chinmaya
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150520/bac009df/attachment-0001.html>
More information about the Users
mailing list