[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-announce
Subject: [strongSwan-dev] Ipsec tunnels vanish with traffic on tunnels
From: meenakshi bangad <mbangad () gmail ! com>
Date: 2015-02-16 15:11:51
Message-ID: CANU0Jn1KDMtawWMkw-eerJzEvEt3gzbX1Tfre4RcG2qf-SuMBQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
I am doing some load testing using Strong Swan as a VPN client and server
but on different machines. I was able to bring up about 200 VPN connections
on the client.
All the clients could talk to the internet and things looked fine.
Bit I see that after some time even though I have script that is generating
traffic constantly, all or some of the tunnels just vanish. Can someone
please provide an
insight?
********************
*CLIENT config:*
My ipsec.conf on client side is blank.
*/etc/strongswan.conf:*
charon {
# load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
nonce curl xauth-generic kernel-netlink socket-default updown stroke
dh_exponent_ansi_x9_42 = no
reuse_ikesa = no
threads = 32
# install_routes=no
plugins {
load-tester {
# enable the plugin
enable = yes
# 10000 connections, ten in parallel
initiators = 10
iterations = 1
# use a delay of 100ms, overall time is: iterations * delay =
100s
delay = 100
# address of the gateway (releases before 5.0.2 used the
"remote" keyword!)
responder = 10.101.248.152
# IKE-proposal to use
proposal = aes128-sha1-modp2048
esp = aes128-sha1
# use faster PSK authentication instead of 1024bit RSA
initiator_auth = pubkey|xauth
responder_auth = pubkey
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
initiator_id = "CN=conn%dround%d"
initiator_match = *
responder_id="C=CH, O=strongSwan, CN=vpntest.x.com"
issuer_cert = /etc/ipsec.d/cacerts/caCert.pem
issuer_key = /home/mbangad/caKey.pem
# do not delete the IKE_SA after it has been established
(default)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no
version=1
initiator_tsr = 0.0.0.0/0
}
}
}
********************
*********************
*Server *
*ipsec.conf:*
# ipsec.conf - strongSwan IPsec configuration file
config setup
# ipsec.conf - strongSwan IPsec configuration file
conn %default
ikelifetime=60m
conn ios
keyexchange=ikev1
fragmentation=yes
left=10.101.248.152
leftcert=serverCert.pem
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsourceip=10.10.3.0/24
rightauth=pubkey
rightauth2=xauth-radius
eap_identity=%identity
auto=add
mobike=yes
*strongswan.conf:*
strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
# load_modular = yes
dns1=8.8.8.8
dos_protection = no
threads = 32
# Two defined file loggers. Each subsection is either a file
# in the filesystem or one of: stdout, stderr.
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# loggers to files also accept the append option to open files
in
# append mode at startup (default is yes)
append = no
# the default loglevel for all daemon subsystems (defaults to
1).
default = 1
# flush each line to disk
flush_line = yes
ike_name = yes
}
}
#Radius Plugin
plugins {
eap-radius {
accounting = yes
servers {
server-a {
address = 127.0.0.1
secret = testing123
}
server-b {
address = 10.101.248.152
secret = testing123
}
}
}
}
}
*********************************
thanks,
M
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hi,</div><div><br></div><div>I am doing some load testing using \
Strong Swan as a VPN client and server but on different machines. I was able to bring \
up about 200 VPN connections on the client. </div><div>All the clients could talk \
to the internet and things looked fine.</div><div><br></div><div>Bit I see that after \
some time even though I have script that is generating traffic constantly, all or \
some of the tunnels just vanish. Can someone please provide an \
</div><div>insight?</div><div>********************</div><div><b>CLIENT \
config:</b></div><div>My ipsec.conf on client side is \
blank.</div><div><br></div><div><b>/etc/strongswan.conf:</b></div><div>charon \
{</div><div># load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp \
random nonce curl xauth-generic kernel-netlink socket-default updown \
stroke</div><div><br></div><div> dh_exponent_ansi_x9_42 = no</div><div> \
reuse_ikesa = no</div><div> threads = 32</div><div><br></div><div> # \
install_routes=no</div><div><br></div><div> plugins {</div><div> \
load-tester {</div><div> # enable the plugin</div><div> \
enable = yes</div><div> # 10000 connections, ten in \
parallel</div><div> initiators = 10</div><div> \
iterations = 1</div><div> # use a delay of 100ms, overall time is: \
iterations * delay = 100s</div><div> delay = 100</div><div> \
# address of the gateway (releases before 5.0.2 used the "remote" \
keyword!)</div><div> responder = 10.101.248.152</div><div> \
# IKE-proposal to use</div><div> proposal = \
aes128-sha1-modp2048</div><div> esp = aes128-sha1</div><div> \
# use faster PSK authentication instead of 1024bit RSA</div><div> \
initiator_auth = pubkey|xauth</div><div> responder_auth = \
pubkey</div><div> # request a virtual IP using configuration \
payloads</div><div> request_virtual_ip = yes</div><div> \
# disable IKE_SA rekeying (default)</div><div> ike_rekey = \
0</div><div> # enable CHILD_SA every 60s</div><div> \
child_rekey = 60</div><div> </div><div> \
initiator_id = "CN=conn%dround%d"</div><div> \
initiator_match = *</div><div> responder_id="C=CH, \
O=strongSwan, CN=<a href="http://vpntest.x.com">vpntest.x.com</a>"</div><div> \
issuer_cert = /etc/ipsec.d/cacerts/caCert.pem</div><div> issuer_key \
= /home/mbangad/caKey.pem</div><div> </div><div> # \
do not delete the IKE_SA after it has been established (default)</div><div> \
delete_after_established = no</div><div> # do not shut down the \
daemon if all IKE_SAs established</div><div> shutdown_when_complete \
= no</div><div> version=1</div><div> initiator_tsr \
= <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> }</div><div> \
}</div><div>}</div><div>********************</div><div><br></div><div>*********************</div><div><b>Server \
</b></div><div><br></div><div><b>ipsec.conf:</b></div><div># ipsec.conf - strongSwan \
IPsec configuration file</div><div><br></div><div>config \
setup</div><div><br></div><div># ipsec.conf - strongSwan IPsec configuration \
file</div><div>conn %default</div><div> \
ikelifetime=60m</div><div><br></div><div><br></div><div>conn ios</div><div> \
keyexchange=ikev1</div><div> fragmentation=yes</div><div> \
left=10.101.248.152</div><div> leftcert=serverCert.pem</div><div> \
leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> \
leftfirewall=yes</div><div> right=%any</div><div> rightsourceip=<a \
href="http://10.10.3.0/24">10.10.3.0/24</a></div><div> \
rightauth=pubkey</div><div> rightauth2=xauth-radius</div><div> \
eap_identity=%identity</div><div> auto=add</div><div> \
mobike=yes</div><div><span class="" \
style="white-space:pre"> </span></div><div><br></div><div><b>strongswan.conf:</b></div><div><br></div><div> \
strongswan.conf - strongSwan configuration file</div><div>#</div><div># Refer to the \
strongswan.conf(5) manpage for details</div><div>#</div><div># Configuration changes \
should be made in the included files</div><div><br></div><div>charon {</div><div> \
# load_modular = yes</div><div> dns1=8.8.8.8</div><div> dos_protection = \
no</div><div><br></div><div> threads = 32</div><div><br></div><div> # Two \
defined file loggers. Each subsection is either a file</div><div> # in the \
filesystem or one of: stdout, stderr.</div><div> filelog {</div><div> \
/var/log/charon.log {</div><div> # add a timestamp prefix</div><div> \
time_format = %b %e %T</div><div> # loggers to files also accept the \
append option to open files in</div><div> # append mode at startup \
(default is yes)</div><div> append = no</div><div> \
# the default loglevel for all daemon subsystems (defaults to 1).</div><div> \
default = 1</div><div> # flush each line to disk</div><div> \
flush_line = yes</div><div><span class="" style="white-space:pre"> </span>ike_name \
= yes</div><div> }</div><div> }</div><div><br></div><div> \
#Radius Plugin</div><div> plugins {</div><div> eap-radius {</div><div> \
accounting = yes</div><div> servers {</div><div> \
server-a {</div><div> address = 127.0.0.1</div><div> \
secret = testing123</div><div> }</div><div> \
server-b {</div><div> address = 10.101.248.152</div><div> \
secret = testing123</div><div> }</div><div> \
}</div><div> }</div><div> \
}</div><div>}</div><div><br></div><div>*********************************</div><div><br></div><div>thanks,</div><div><br></div><div>M</div><div><br></div></div>
_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic