Hi
1. you will need to first access the following link
http://wiki.strongswan.org/projects/...tester_creds.c
and then
- copy the RSA private-key into 2 files and name them "initiator_key.pem" and "responder_key.pem"
- copy the self-signed cert into 3 files and name them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem"
On the Initiator GW/PC/Machine
--------------------------------
- Please note that the load-tester plugin can only act in and as a road-warrior-client simulator mode. So you should be enabling the load-tester plugin on only the initiator linux-machine running the strongswan package
- The ipsec.conf file on this initiator is NEVER used or NOT required just comment out all config statments
- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder
- in the ipsec.secrets file, include the statement
: RSA initiator_key.pem
- The strongswan.conf file should be as below:
------------------------------------------
charon {
reuse_ikesa = no
threads = 32
plugins {
load-tester {
# enable the plugin
enable = yes
# example: 10 connections, 5 in parallel
initiators = 5
iterations = 2
# use a delay of 100ms, overall time is: iterations * delay = 100s
delay = 100
# address of the gateway
remote = 172.17.10.10
# IKE-proposal to use
proposal = aes128-sha1-modp1024
# use faster PSK authentication instead of 1024bit RSA
initiator_auth = pubkey
responder_auth = pubkey
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
# do not delete the IKE_SA after it has been established (default)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no
}
}
}
-----------------------------------------------------------
On the Responder GW/PC/Machine
******************************
- do not enable load-tester plugin here. just configure this machine as a Road-Warrior-VPN-Server
- the ipsec.conf file shoule be as below:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
crlcheckinterval=180
plutostart=no
charonstart=yes
conn %default
ikelifetime=60m
keylife=30m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn rw-server
left=172.17.10.10
leftsubnet=192.168.20.0/24
right=%any
rightsourceip=10.3.0.0/16
leftid="CN=srv, OU=load-test, O=strongSwan"
leftcert=respcert.pem
authby=pubkey
keyexchange=ikev2
type=tunnel
auto=add
#
- copy the cacert.pem, responder_cert.pem and responder_key.pem to the respective locations under ipsec.d folder
- The ipsec.secrets file should have an entry as below:
: RSA responder_key.pem
2. That's it, now you start strongswan ipsec on both initiator and responder (first on this) using "ipsec start" or "ipsec start --nofork"
- you will see that as configured in the strongswan.conf, there will be 10 IKEv2 tunnels established, but ofcourse no ipsec SAs are established, as per design of the plugin
- also, it did not work for me with PSK (using fqdn) as mentioned in the link below:
http://wiki.strongswan.org/projects/...wiki/LoadTests
hope this helps
Rajiv
Quote:
Originally Posted by culin
Hi friends,
I just read about strongswan load testing against self, but i am having problems with that ... i read it from here..
http://wiki.strongswan.org/projects/...wiki/LoadTests
I downloaded strongswan and configured it with --enable-load-tester option and then make, make install...
Later i ran ipsec start and then ipsec statusall.. its showing no tunnel is created... but i have the strongswan.conf file as they have told at the above link but still its showing nothing.. also i noticed that in /etc/ipsec.d/ directory so many cert files are there which are empty !!!
What else i need to do ?? am i missing something ? Please help me to get through this load testing against self ..
Thanks....
|