[strongSwan] Interested in ipsec with source routing and/or vrf

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat May 25 01:29:00 CEST 2019 

Hello Ben,

Why do you insist on using interfaces? You don't need any.

Kind regards

Noel

Am 25.05.19 um 01:02 schrieb Ben Greear:
> On 5/24/19 3:56 PM, Noel Kuntze wrote:
>> Hello Ben,
>>
>>> The purpose is to load test a VPN server
>>> with a small number of physical client machines.
>>
>> If the VPN server supports several CHILD_SAs and arbitrary subnets on the
>> remote side, you can just run several CHILD_SAs and negotiate, for example,
>> a CHILD_SA per client machine IP. So you'd have tunnels like ...
>> 0.0.0.0/0 == 192.168.35.10
>> 0.0.0.0/0 == 192.168.35.11
>> 0.0.0.0/0 == 192.168.35.12
>>
>>
>> That will enable the usage of RSS and RPS on both ends of the tunnels, so the IPsec SAs
>> can be load balanced over several CPU cores. Keep in mind though that your wire speed
>> is likely not high enough to saturate a modern computer or anything even remotely properly configured.
>> You can only get them to their knees by the sheer number of simultaneously actively used IPsec SAs
>> by virtue of making the policy lookup more expensive and making sure that the informations for the
>> used IPsec SAs don't fit into the CPU caches.
>>
>> Kind regards
>>
>> Noel Kuntze
> 
> Hello,
> 
> I am not so concerned with performance at this point, just functionality.
> 
> So, in the 'real' world, if I have two laptops in the same office connect through VPN,
> there will be some tunnel set up between each of them.  From the perspective of the
> VPN server, I want to duplicate that but by having two interfaces on one machine take
> the place of the two laptops.
> 
> Thanks,
> Ben
> 
>>
>> Am 24.05.19 um 21:46 schrieb Ben Greear:
>>> Hello,
>>>
>>> I'd like to be able to set up multiple (virtual) network interfaces on a single
>>> Linux machine and have them connect to a VPN server.  The VPN server should see
>>> each connection as a unique instance.  The purpose is to load test a VPN server
>>> with a small number of physical client machines.
>>>
>>> I know how to set up source-based routing tables and VRFs, and other general
>>> networking things...
>>>
>>> But, I do not know much at all about ipsec and VPNs, so I'd be happy to pay
>>> for someone to help me out with this part of things.
>>>
>>> Thanks,
>>> Ben
>>>
>>
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190525/41cc9653/attachment-0001.sig>

More information about the Users mailing list