October 9, 2015

strongswan load test on ubuntu 14.04

Getting strongswan load test to run on 14.04.

Mostly from this post on the mailing list: https://lists.strongswan.org/pipermail/users/2011-August/001966.html

1. you will need to first access the following link


and then 

- copy the RSA private-key into 2 files and name them "initiator_key.pem" 
and "responder_key.pem"

- copy the self-signed cert into 3 files and name 
them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem"

On the Initiator GW/PC/Machine
- Please note that the load-tester plugin can only act in and as a road-warrior-
client simulator mode. So you should be enabling the load-tester plugin on only 
the initiator linux-machine running the strongswan package

- The ipsec.conf file on this initiator is NEVER used or NOT required just 
comment out all config statments

- copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the 
respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder

- in the ipsec.secrets file, include the statement 
: RSA initiator_key.pem

- The strongswan.conf file should be as below:

charon {
    reuse_ikesa = no
    threads = 32

    plugins {
        load-tester {
            # enable the plugin
            enable = yes
            # example: 10 connections, 5 in parallel
            initiators = 5
            iterations = 2
            # use a delay of 100ms, overall time is: iterations * delay = 100s
            delay = 100
            # address of the gateway
            responder =
            load = yes
            # IKE-proposal to use
            proposal = aes128-sha1-modp2048
            # use faster PSK authentication instead of 1024bit RSA
            initiator_auth = pubkey
            responder_auth = pubkey
            # request a virtual IP using configuration payloads
            request_virtual_ip = yes
            # disable IKE_SA rekeying (default)
            ike_rekey = 0
            # enable CHILD_SA every 60s
            child_rekey = 60
            # do not delete the IKE_SA after it has been established (default)
            delete_after_established = no
            # do not shut down the daemon if all IKE_SAs established
            shutdown_when_complete = no

On the Responder GW/PC/Machine
- do not enable load-tester plugin here. just configure this machine as a Road-

- the ipsec.conf file should be as below:

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default

conn rw-server


- copy the cacert.pem, responder_cert.pem and responder_key.pem to the 
respective locations under ipsec.d folder

- The ipsec.secrets file should have an entry as below:

: RSA responder_key.pem

2. That's it, now you start strongswan ipsec on both initiator and responder 
(first on this) using "ipsec start" or "ipsec start --nofork"

Use the following commands to examine the results:

ipsec status
ipsec statusall
ip route show route 220
ip -s xfrm state
ip -s xfrm policy

You may also want to know why if your strongswan is not logging at all:


No comments:

Post a Comment