LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-27-2011, 06:38 AM   #1
culin
Member
 
Registered: Sep 2006
Distribution: Fedora Core 10
Posts: 254

Rep: Reputation: 32
strongswan ipsec


Hi friends,

I just read about strongswan load testing against self, but i am having problems with that ... i read it from here..

http://wiki.strongswan.org/projects/...wiki/LoadTests

I downloaded strongswan and configured it with --enable-load-tester option and then make, make install...
Later i ran ipsec start and then ipsec statusall.. its showing no tunnel is created... but i have the strongswan.conf file as they have told at the above link but still its showing nothing.. also i noticed that in /etc/ipsec.d/ directory so many cert files are there which are empty !!!
What else i need to do ?? am i missing something ? Please help me to get through this load testing against self ..
Thanks....

Last edited by culin; 07-28-2011 at 07:49 AM.
 
Old 08-05-2011, 06:02 AM   #2
rajivk
LQ Newbie
 
Registered: Aug 2011
Posts: 7

Rep: Reputation: Disabled
strongswan load-tester plugin for multiple IKEv2 tunnels/SAs

Hi

1. you will need to first access the following link

http://wiki.strongswan.org/projects/...tester_creds.c

and then

- copy the RSA private-key into 2 files and name them "initiator_key.pem" and "responder_key.pem"

- copy the self-signed cert into 3 files and name them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem"

On the Initiator GW/PC/Machine
--------------------------------
- Please note that the load-tester plugin can only act in and as a road-warrior-client simulator mode. So you should be enabling the load-tester plugin on only the initiator linux-machine running the strongswan package

- The ipsec.conf file on this initiator is NEVER used or NOT required just comment out all config statments

- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder

- in the ipsec.secrets file, include the statement
: RSA initiator_key.pem

- The strongswan.conf file should be as below:

------------------------------------------
charon {
reuse_ikesa = no
threads = 32

plugins {
load-tester {
# enable the plugin
enable = yes
# example: 10 connections, 5 in parallel
initiators = 5
iterations = 2
# use a delay of 100ms, overall time is: iterations * delay = 100s
delay = 100
# address of the gateway
remote = 172.17.10.10
# IKE-proposal to use
proposal = aes128-sha1-modp1024
# use faster PSK authentication instead of 1024bit RSA
initiator_auth = pubkey
responder_auth = pubkey
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
# do not delete the IKE_SA after it has been established (default)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no
}
}
}
-----------------------------------------------------------

On the Responder GW/PC/Machine
******************************
- do not enable load-tester plugin here. just configure this machine as a Road-Warrior-VPN-Server

- the ipsec.conf file shoule be as below:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
strictcrlpolicy=no
crlcheckinterval=180
plutostart=no
charonstart=yes

conn %default
ikelifetime=60m
keylife=30m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no

conn rw-server
left=172.17.10.10
leftsubnet=192.168.20.0/24
right=%any
rightsourceip=10.3.0.0/16
leftid="CN=srv, OU=load-test, O=strongSwan"
leftcert=respcert.pem
authby=pubkey
keyexchange=ikev2
type=tunnel
auto=add
#

- copy the cacert.pem, responder_cert.pem and responder_key.pem to the respective locations under ipsec.d folder

- The ipsec.secrets file should have an entry as below:

: RSA responder_key.pem


2. That's it, now you start strongswan ipsec on both initiator and responder (first on this) using "ipsec start" or "ipsec start --nofork"

- you will see that as configured in the strongswan.conf, there will be 10 IKEv2 tunnels established, but ofcourse no ipsec SAs are established, as per design of the plugin

- also, it did not work for me with PSK (using fqdn) as mentioned in the link below:
http://wiki.strongswan.org/projects/...wiki/LoadTests


hope this helps

Rajiv




Quote:
Originally Posted by culin View Post
Hi friends,

I just read about strongswan load testing against self, but i am having problems with that ... i read it from here..

http://wiki.strongswan.org/projects/...wiki/LoadTests

I downloaded strongswan and configured it with --enable-load-tester option and then make, make install...
Later i ran ipsec start and then ipsec statusall.. its showing no tunnel is created... but i have the strongswan.conf file as they have told at the above link but still its showing nothing.. also i noticed that in /etc/ipsec.d/ directory so many cert files are there which are empty !!!
What else i need to do ?? am i missing something ? Please help me to get through this load testing against self ..
Thanks....
 
1 members found this post helpful.
Old 08-16-2011, 06:11 AM   #3
culin
Member
 
Registered: Sep 2006
Distribution: Fedora Core 10
Posts: 254

Original Poster
Rep: Reputation: 32
Thank you very much for the valuable infor Rijiv.

For me the requirement is quite different, i am not supposed to change anything in the responder side ( i.e. server ). In the initiator side i need to use the certificates which is issued by the server. But the problem is in the load tester plugin the certificate is hard coded. So i am not able to used the certificate provided by my server. In the link you specified the credentials are hard coded.... First i thought the hex values which are hard coded are in correspondence with the RSA Keys and certificates. but NO.. they are not the hex values because i checked it with the hex editor. So if i am able to get what are those hex values and how they have hard coded then i may be able to use my certificate by altering the source.. !! Can u please help me with this ?? and also it is not reading the configurations in the /etc/ipsec.conf.. In the server side i am getting an error message CERTIFICATE NOT IN TIME INTERVAL, Path was not verified.. !!
 
Old 08-16-2011, 09:55 AM   #4
rajivk
LQ Newbie
 
Registered: Aug 2011
Posts: 7

Rep: Reputation: Disabled
Hi

As for the first part of your message, my reply is that for you to get more details on the load-tester-plugin (customizing as per your requirements, updating it, etc) you will need to post your queries and interact with the people who are running the strongswan user-list/forum (namely i guess Andreas, Martin Willi, Tobias, etc)

As for the second part of your message, "cert not in time interval", i guess it is so because the certs (initiator_cert.pem, resp_cert.pem, cacert.pem, which i had asked you to copy and create) are having a validity time period. This you may check by using the following command on your gw or any linux system running openssl:

# openssl x509 -in <initiator_cert.pem> -noout -text

check the valid time of the cert in the display of the cert and accordingly set the time on your systems within the time period the certs are valid for.

-rajiv
 
Old 08-16-2011, 11:31 PM   #5
culin
Member
 
Registered: Sep 2006
Distribution: Fedora Core 10
Posts: 254

Original Poster
Rep: Reputation: 32
Thanks for the input rajiv...

I had already checked the validity of the certificate using ""ipsec listcacerts"" command. Its showing OK.. but only problem is its using its own hardcoded certificate.. i have to tell strongswan i.e. i have to make strongswan to use the certificate provided by me.. I am checking on that option now, but no luck till now.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
vpn-ipsec : Failed to parse config setup portion of ipsec.conf hari85 Linux - Newbie 1 07-17-2010 08:12 PM
Bind Pluto (StrongSwan) On Specific Interface zelda32 Linux - Security 0 01-10-2010 10:34 AM
Help with IPSec!! vishamr2000 Fedora 2 03-14-2008 12:38 AM
Distros compatible with Strongswan Kaamos Linux - Networking 2 06-13-2007 10:41 AM
ipsec?? new user Linux - Security 5 08-18-2003 11:37 PM


All times are GMT -5. The time now is 10:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration