I just read about strongswan load testing against self, but i am having problems with that ... i read it from here..
I downloaded strongswan and configured it with --enable-load-tester option and then make, make install...
Later i ran ipsec start and then ipsec statusall.. its showing no tunnel is created... but i have the strongswan.conf file as they have told at the above link but still its showing nothing.. also i noticed that in /etc/ipsec.d/ directory so many cert files are there which are empty !!!
What else i need to do ?? am i missing something ? Please help me to get through this load testing against self ..
strongswan load-tester plugin for multiple IKEv2 tunnels/SAs
1. you will need to first access the following link
- copy the RSA private-key into 2 files and name them "initiator_key.pem" and "responder_key.pem"
- copy the self-signed cert into 3 files and name them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem"
On the Initiator GW/PC/Machine
- Please note that the load-tester plugin can only act in and as a road-warrior-client simulator mode. So you should be enabling the load-tester plugin on only the initiator linux-machine running the strongswan package
- The ipsec.conf file on this initiator is NEVER used or NOT required just comment out all config statments
- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder
- in the ipsec.secrets file, include the statement
: RSA initiator_key.pem
- The strongswan.conf file should be as below:
reuse_ikesa = no
threads = 32
# enable the plugin
enable = yes
# example: 10 connections, 5 in parallel
initiators = 5
iterations = 2
# use a delay of 100ms, overall time is: iterations * delay = 100s
delay = 100
# address of the gateway
remote = 172.17.10.10
# IKE-proposal to use
proposal = aes128-sha1-modp1024
# use faster PSK authentication instead of 1024bit RSA
initiator_auth = pubkey
responder_auth = pubkey
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
# do not delete the IKE_SA after it has been established (default)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no
On the Responder GW/PC/Machine
- do not enable load-tester plugin here. just configure this machine as a Road-Warrior-VPN-Server
- the ipsec.conf file shoule be as below:
# /etc/ipsec.conf - strongSwan IPsec configuration file
leftid="CN=srv, OU=load-test, O=strongSwan"
- copy the cacert.pem, responder_cert.pem and responder_key.pem to the respective locations under ipsec.d folder
- The ipsec.secrets file should have an entry as below:
: RSA responder_key.pem
2. That's it, now you start strongswan ipsec on both initiator and responder (first on this) using "ipsec start" or "ipsec start --nofork"
- you will see that as configured in the strongswan.conf, there will be 10 IKEv2 tunnels established, but ofcourse no ipsec SAs are established, as per design of the plugin
- also, it did not work for me with PSK (using fqdn) as mentioned in the link below:
hope this helps
Thank you very much for the valuable infor Rijiv. :)
For me the requirement is quite different, i am not supposed to change anything in the responder side ( i.e. server ). In the initiator side i need to use the certificates which is issued by the server. But the problem is in the load tester plugin the certificate is hard coded. So i am not able to used the certificate provided by my server. In the link you specified the credentials are hard coded.... First i thought the hex values which are hard coded are in correspondence with the RSA Keys and certificates. but NO.. they are not the hex values because i checked it with the hex editor. So if i am able to get what are those hex values and how they have hard coded then i may be able to use my certificate by altering the source.. !! Can u please help me with this ?? and also it is not reading the configurations in the /etc/ipsec.conf.. In the server side i am getting an error message CERTIFICATE NOT IN TIME INTERVAL, Path was not verified.. !!
As for the first part of your message, my reply is that for you to get more details on the load-tester-plugin (customizing as per your requirements, updating it, etc) you will need to post your queries and interact with the people who are running the strongswan user-list/forum (namely i guess Andreas, Martin Willi, Tobias, etc)
As for the second part of your message, "cert not in time interval", i guess it is so because the certs (initiator_cert.pem, resp_cert.pem, cacert.pem, which i had asked you to copy and create) are having a validity time period. This you may check by using the following command on your gw or any linux system running openssl:
# openssl x509 -in <initiator_cert.pem> -noout -text
check the valid time of the cert in the display of the cert and accordingly set the time on your systems within the time period the certs are valid for.
Thanks for the input rajiv... :)
I had already checked the validity of the certificate using ""ipsec listcacerts"" command. Its showing OK.. but only problem is its using its own hardcoded certificate.. i have to tell strongswan i.e. i have to make strongswan to use the certificate provided by me.. I am checking on that option now, but no luck till now.
|All times are GMT -5. The time now is 07:38 PM.|