[strongSwan] Ipsec auto start on a reboot
Hi, I did not see any init script for starting ipsec on a reboot. I am running Strongswan-5.2.2 on Centos 6.5 and would like it to start up automatically on a system start up. Is there an existing script or I need to make my own and put it in /etc/init.d/ and use chkconfig to set up the autstart. Thanks, Meenakshi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Ipsec up/down(brining up one client up/down) is a trigger to bring back up A non-responsive server
Please find the output attached for ip -s x p on the server. There are in total 11 clients. 10 clients from one machine using load-tester plugin and 1 from my IOS device. IP addresses : inet 10.10.2.1/32 scope global eth0 inet 10.10.2.7/32 scope global eth0 inet 10.10.2.10/32 scope global eth0 inet 10.10.2.6/32 scope global eth0 inet 10.10.2.8/32 scope global eth0 inet 10.10.2.5/32 scope global eth0 inet 10.10.2.4/32 scope global eth0 inet 10.10.2.2/32 scope global eth0 inet 10.10.2.3/32 scope global eth0 inet 10.10.2.9/32 scope global eth0 When this condition happens, both the CPU's are 99% idle. I have to wait for minutes for this situation to clear up and sometimes it might not clear up at all! thanks, Meenakshi On Mon, Feb 23, 2015 at 3:55 PM, Noel Kuntze n...@familie-kuntze.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello meenakshi, Did you check if the IPsec SAs are still there for the tunnels, when you get timeouts? I would like to get some information on the state of the ipsec stack when that happens. Stuff like the statistics of the policies (ip -s x p) and the CPU usage. This is likely a problem with the IPsec stack of the Linux kernel, as it does traffic processing. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 20.02.2015 um 23:22 schrieb meenakshi bangad: I am experiencing a very interesting behaviour with Strongswan server. Using the load tester plugin I can bring up multiple clients. I have set up about 200 clients on 2 machines (each running 100 Ipsec tunnels to the servers). I have my own traffic generator which is sending traffic across this multiple tunnels. Initially everything runs fine, but after some time I start getting time-outs in my traffic generator application. I have tried modifying the sysctl settings etc, but nothing has worked. If during that time I bring up another client everything starts to work back again. So the trigger to non -responsive server is brining a tunnels up and down. Since I have been doing this the generator on the other 200 tunnels never times out. It seems like the server is stuck somewhere and the a tunnel up or down breaks that loop. Has anyone else experiencing the same behaviour ? Thanks, Meenakshi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU65POAAoJEDg5KY9j7GZYWBwQAI12PJ6yIvSnsgR88itkgf+2 oMn7Ww5bwBJpXE903H8LnoNM9DMxm1FP+hhUQtTwT4fGbL4n+yRKCd5IbWqo1fhE Iul7DTyIjw6YvaoCSKBz6iVfWjkSrm48PSHqrdHka/MI3rv5JpD0k8uLxXn+aqH2 l+xcPS89rERFw28aL5pXHRGVgfZcjmnPwpCSUCVIqE7it67wMNi4eKOTIIdzjHbR bQ0n3gKKlDrNsspWm9HWhlG9d0JzNkqSDfaoLR3NxCLNPnr7zpcDX6Ifd2gWJZzn IbLuBYfefuyFV0/N9MHxX55Sl7U6iJxW1qSAuiry1paen90BlsIDLrMgzULmwUqt 0Qt3uQlewPMTU5R/lvR5dKmmrULB8TnJLDJm66k40TzSA5paCnnGdeA8vGSSKyBc Xk6S/f8Wi2MySD/9+EBvEzw5NOtnDfJG+yngwjkWB8BJpTGKkTyvcsJLmBEKZYsd azK7lsvEhMcjt7gGT+OWo0QIc8p8XqMqX31qASp7DhMMuu16ZNUF2icOEzquHxbK lkUu4fRosDfEe0js6pC1vpMQTjlgvqE3/x7ugxonSR3JU9FxMhp2xgT2BbO81JHT xMY9rTxiuOj2DUzWWT1H33q4nJepo0aUcK6oKQ6vCCBHLX8FlyVP/WJjc91dcTSd c3Coq5ffPDqjDiSJnnFA =0CAd -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ip.output Description: Binary data ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Ipsec up/down(brining up one client up/down) is a trigger to bring back up A non-responsive server
I am experiencing a very interesting behaviour with Strongswan server. Using the load tester plugin I can bring up multiple clients. I have set up about 200 clients on 2 machines (each running 100 Ipsec tunnels to the servers). I have my own traffic generator which is sending traffic across this multiple tunnels. Initially everything runs fine, but after some time I start getting time-outs in my traffic generator application. I have tried modifying the sysctl settings etc, but nothing has worked. If during that time I bring up another client everything starts to work back again. So the trigger to non -responsive server is brining a tunnels up and down. Since I have been doing this the generator on the other 200 tunnels never times out. It seems like the server is stuck somewhere and the a tunnel up or down breaks that loop. Has anyone else experiencing the same behaviour ? Thanks, Meenakshi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Issues with rekeying on 5.2.2 client againse 5, 2.1 server
Hi,
I am doing some load testing using Strong Swan as a VPN client and server
but on different machines. I was able to bring up about 200 VPN connections
on the client.
All the clients could talk to the internet and things looked fine.
Bit I see that after some time even though I have script that is generating
traffic constantly, all or some of the tunnels just vanish. Can someone
please provide an
insight?
*CLIENT config:*
My ipsec.conf on client side is blank.
*/etc/strongswan.conf:*
charon {
# load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random
nonce curl xauth-generic kernel-netlink socket-default updown stroke
dh_exponent_ansi_x9_42 = no
reuse_ikesa = no
threads = 32
# install_routes=no
plugins {
load-tester {
# enable the plugin
enable = yes
# 1 connections, ten in parallel
initiators = 10
iterations = 1
# use a delay of 100ms, overall time is: iterations * delay =
100s
delay = 100
# address of the gateway (releases before 5.0.2 used the
remote keyword!)
responder = 10.101.248.152
# IKE-proposal to use
proposal = aes128-sha1-modp2048
esp = aes128-sha1
# use faster PSK authentication instead of 1024bit RSA
initiator_auth = pubkey|xauth
responder_auth = pubkey
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
initiator_id = CN=conn%dround%d
initiator_match = *
responder_id=C=CH, O=strongSwan, CN=vpntest.x.com
issuer_cert = /etc/ipsec.d/cacerts/caCert.pem
issuer_key = /home/mbangad/caKey.pem
# do not delete the IKE_SA after it has been established
(default)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no
version=1
initiator_tsr = 0.0.0.0/0
}
}
}
*
*Server *
*ipsec.conf:*
# ipsec.conf - strongSwan IPsec configuration file
config setup
# ipsec.conf - strongSwan IPsec configuration file
conn %default
ikelifetime=60m
conn ios
keyexchange=ikev1
fragmentation=yes
left=10.101.248.152
leftcert=serverCert.pem
leftsubnet=0.0.0.0/0
leftfirewall=yes
right=%any
rightsourceip=10.10.3.0/24
rightauth=pubkey
rightauth2=xauth-radius
eap_identity=%identity
auto=add
mobike=yes
*strongswan.conf:*
strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
# load_modular = yes
dns1=8.8.8.8
dos_protection = no
threads = 32
# Two defined file loggers. Each subsection is either a file
# in the filesystem or one of: stdout, stderr.
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# loggers to files also accept the append option to open files
in
# append mode at startup (default is yes)
append = no
# the default loglevel for all daemon subsystems (defaults to
1).
default = 1
# flush each line to disk
flush_line = yes
ike_name = yes
}
}
#Radius Plugin
plugins {
eap-radius {
accounting = yes
servers {
server-a {
address = 127.0.0.1
secret = testing123
}
server-b {
address = 10.101.248.152
secret = testing123
}
}
}
}
}
*
thanks,
M
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Multiple Ipsec connections thru one ipsec.conf
I am trying to bring multiple clients up using ipsec.conf from a single machine. I can bring upto 50 connections up specifying a new connection in (conn) section of ipsec.conf on the client. everything works fine until I try load test on these IP's. After a fixed number of packets I get an error No Buffer space available. I changed the sysctl settings to allot more buffer space for reading and writing of tcp, but nothing works. During this time the management interface has no issues. Seems like the 50 tunnels I created max out on memory etc. I have to wait for about 10 minutes and the connections are back to normal or restart ipsec. Can you please advise what can be done? Sample Config on the client #Default for all the client connections conn %default ikelifetime=60m keylife=20m rekeymargin=2m keyingtries=1 keyexchange=ikev1 left=10.101.248.153 leftsourceip=%config leftauth=pubkey leftauth2=xauth leftfirewall=yes right=10.101.248.152 rightid=C=CH, O=strongSwan, CN=vpntest.x.com rightsubnet=0.0.0.0/0 rightauth=pubkey conn P2UJjggrNxA8Vcx_119a1d leftcert=P2UJjggrNxA8Vcx_119a1dCert.pem leftid=C=CH, O=strongSwan, CN=P2UJjggrNxA8Vcx_119a1d xauth_identity=P2UJjggrNxA8Vcx_119a1d auto=add conn P2UJjhgrNxA8Vcx_119a1d leftcert=P2UJjhgrNxA8Vcx_119a1dCert.pem leftid=C=CH, O=strongSwan, CN=P2UJjhgrNxA8Vcx_119a1d xauth_identity=P2UJjhgrNxA8Vcx_119a1d auto=add thanks, M ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
