[strongSwan] Ipsec auto start on a reboot
Hi, I did not see any init script for starting ipsec on a reboot. I am running Strongswan-5.2.2 on Centos 6.5 and would like it to start up automatically on a system start up. Is there an existing script or I need to make my own and put it in /etc/init.d/ and use chkconfig to set up the autstart. Thanks, Meenakshi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Ipsec up/down(brining up one client up/down) is a trigger to bring back up A non-responsive server
Please find the output attached for ip -s x p on the server. There are in total 11 clients. 10 clients from one machine using load-tester plugin and 1 from my IOS device. IP addresses : inet 10.10.2.1/32 scope global eth0 inet 10.10.2.7/32 scope global eth0 inet 10.10.2.10/32 scope global eth0 inet 10.10.2.6/32 scope global eth0 inet 10.10.2.8/32 scope global eth0 inet 10.10.2.5/32 scope global eth0 inet 10.10.2.4/32 scope global eth0 inet 10.10.2.2/32 scope global eth0 inet 10.10.2.3/32 scope global eth0 inet 10.10.2.9/32 scope global eth0 When this condition happens, both the CPU's are 99% idle. I have to wait for minutes for this situation to clear up and sometimes it might not clear up at all! thanks, Meenakshi On Mon, Feb 23, 2015 at 3:55 PM, Noel Kuntze n...@familie-kuntze.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hello meenakshi, Did you check if the IPsec SAs are still there for the tunnels, when you get timeouts? I would like to get some information on the state of the ipsec stack when that happens. Stuff like the statistics of the policies (ip -s x p) and the CPU usage. This is likely a problem with the IPsec stack of the Linux kernel, as it does traffic processing. Mit freundlichen Grüßen/Regards, Noel Kuntze GPG Key ID: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 Am 20.02.2015 um 23:22 schrieb meenakshi bangad: I am experiencing a very interesting behaviour with Strongswan server. Using the load tester plugin I can bring up multiple clients. I have set up about 200 clients on 2 machines (each running 100 Ipsec tunnels to the servers). I have my own traffic generator which is sending traffic across this multiple tunnels. Initially everything runs fine, but after some time I start getting time-outs in my traffic generator application. I have tried modifying the sysctl settings etc, but nothing has worked. If during that time I bring up another client everything starts to work back again. So the trigger to non -responsive server is brining a tunnels up and down. Since I have been doing this the generator on the other 200 tunnels never times out. It seems like the server is stuck somewhere and the a tunnel up or down breaks that loop. Has anyone else experiencing the same behaviour ? Thanks, Meenakshi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJU65POAAoJEDg5KY9j7GZYWBwQAI12PJ6yIvSnsgR88itkgf+2 oMn7Ww5bwBJpXE903H8LnoNM9DMxm1FP+hhUQtTwT4fGbL4n+yRKCd5IbWqo1fhE Iul7DTyIjw6YvaoCSKBz6iVfWjkSrm48PSHqrdHka/MI3rv5JpD0k8uLxXn+aqH2 l+xcPS89rERFw28aL5pXHRGVgfZcjmnPwpCSUCVIqE7it67wMNi4eKOTIIdzjHbR bQ0n3gKKlDrNsspWm9HWhlG9d0JzNkqSDfaoLR3NxCLNPnr7zpcDX6Ifd2gWJZzn IbLuBYfefuyFV0/N9MHxX55Sl7U6iJxW1qSAuiry1paen90BlsIDLrMgzULmwUqt 0Qt3uQlewPMTU5R/lvR5dKmmrULB8TnJLDJm66k40TzSA5paCnnGdeA8vGSSKyBc Xk6S/f8Wi2MySD/9+EBvEzw5NOtnDfJG+yngwjkWB8BJpTGKkTyvcsJLmBEKZYsd azK7lsvEhMcjt7gGT+OWo0QIc8p8XqMqX31qASp7DhMMuu16ZNUF2icOEzquHxbK lkUu4fRosDfEe0js6pC1vpMQTjlgvqE3/x7ugxonSR3JU9FxMhp2xgT2BbO81JHT xMY9rTxiuOj2DUzWWT1H33q4nJepo0aUcK6oKQ6vCCBHLX8FlyVP/WJjc91dcTSd c3Coq5ffPDqjDiSJnnFA =0CAd -END PGP SIGNATURE- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users ip.output Description: Binary data ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Ipsec up/down(brining up one client up/down) is a trigger to bring back up A non-responsive server
I am experiencing a very interesting behaviour with Strongswan server. Using the load tester plugin I can bring up multiple clients. I have set up about 200 clients on 2 machines (each running 100 Ipsec tunnels to the servers). I have my own traffic generator which is sending traffic across this multiple tunnels. Initially everything runs fine, but after some time I start getting time-outs in my traffic generator application. I have tried modifying the sysctl settings etc, but nothing has worked. If during that time I bring up another client everything starts to work back again. So the trigger to non -responsive server is brining a tunnels up and down. Since I have been doing this the generator on the other 200 tunnels never times out. It seems like the server is stuck somewhere and the a tunnel up or down breaks that loop. Has anyone else experiencing the same behaviour ? Thanks, Meenakshi ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Issues with rekeying on 5.2.2 client againse 5, 2.1 server
Hi, I am doing some load testing using Strong Swan as a VPN client and server but on different machines. I was able to bring up about 200 VPN connections on the client. All the clients could talk to the internet and things looked fine. Bit I see that after some time even though I have script that is generating traffic constantly, all or some of the tunnels just vanish. Can someone please provide an insight? *CLIENT config:* My ipsec.conf on client side is blank. */etc/strongswan.conf:* charon { # load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke dh_exponent_ansi_x9_42 = no reuse_ikesa = no threads = 32 # install_routes=no plugins { load-tester { # enable the plugin enable = yes # 1 connections, ten in parallel initiators = 10 iterations = 1 # use a delay of 100ms, overall time is: iterations * delay = 100s delay = 100 # address of the gateway (releases before 5.0.2 used the remote keyword!) responder = 10.101.248.152 # IKE-proposal to use proposal = aes128-sha1-modp2048 esp = aes128-sha1 # use faster PSK authentication instead of 1024bit RSA initiator_auth = pubkey|xauth responder_auth = pubkey # request a virtual IP using configuration payloads request_virtual_ip = yes # disable IKE_SA rekeying (default) ike_rekey = 0 # enable CHILD_SA every 60s child_rekey = 60 initiator_id = CN=conn%dround%d initiator_match = * responder_id=C=CH, O=strongSwan, CN=vpntest.x.com issuer_cert = /etc/ipsec.d/cacerts/caCert.pem issuer_key = /home/mbangad/caKey.pem # do not delete the IKE_SA after it has been established (default) delete_after_established = no # do not shut down the daemon if all IKE_SAs established shutdown_when_complete = no version=1 initiator_tsr = 0.0.0.0/0 } } } * *Server * *ipsec.conf:* # ipsec.conf - strongSwan IPsec configuration file config setup # ipsec.conf - strongSwan IPsec configuration file conn %default ikelifetime=60m conn ios keyexchange=ikev1 fragmentation=yes left=10.101.248.152 leftcert=serverCert.pem leftsubnet=0.0.0.0/0 leftfirewall=yes right=%any rightsourceip=10.10.3.0/24 rightauth=pubkey rightauth2=xauth-radius eap_identity=%identity auto=add mobike=yes *strongswan.conf:* strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { # load_modular = yes dns1=8.8.8.8 dos_protection = no threads = 32 # Two defined file loggers. Each subsection is either a file # in the filesystem or one of: stdout, stderr. filelog { /var/log/charon.log { # add a timestamp prefix time_format = %b %e %T # loggers to files also accept the append option to open files in # append mode at startup (default is yes) append = no # the default loglevel for all daemon subsystems (defaults to 1). default = 1 # flush each line to disk flush_line = yes ike_name = yes } } #Radius Plugin plugins { eap-radius { accounting = yes servers { server-a { address = 127.0.0.1 secret = testing123 } server-b { address = 10.101.248.152 secret = testing123 } } } } } * thanks, M ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Multiple Ipsec connections thru one ipsec.conf
I am trying to bring multiple clients up using ipsec.conf from a single machine. I can bring upto 50 connections up specifying a new connection in (conn) section of ipsec.conf on the client. everything works fine until I try load test on these IP's. After a fixed number of packets I get an error No Buffer space available. I changed the sysctl settings to allot more buffer space for reading and writing of tcp, but nothing works. During this time the management interface has no issues. Seems like the 50 tunnels I created max out on memory etc. I have to wait for about 10 minutes and the connections are back to normal or restart ipsec. Can you please advise what can be done? Sample Config on the client #Default for all the client connections conn %default ikelifetime=60m keylife=20m rekeymargin=2m keyingtries=1 keyexchange=ikev1 left=10.101.248.153 leftsourceip=%config leftauth=pubkey leftauth2=xauth leftfirewall=yes right=10.101.248.152 rightid=C=CH, O=strongSwan, CN=vpntest.x.com rightsubnet=0.0.0.0/0 rightauth=pubkey conn P2UJjggrNxA8Vcx_119a1d leftcert=P2UJjggrNxA8Vcx_119a1dCert.pem leftid=C=CH, O=strongSwan, CN=P2UJjggrNxA8Vcx_119a1d xauth_identity=P2UJjggrNxA8Vcx_119a1d auto=add conn P2UJjhgrNxA8Vcx_119a1d leftcert=P2UJjhgrNxA8Vcx_119a1dCert.pem leftid=C=CH, O=strongSwan, CN=P2UJjhgrNxA8Vcx_119a1d xauth_identity=P2UJjhgrNxA8Vcx_119a1d auto=add thanks, M ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users