Hi, I am doing some load testing using Strong Swan as a VPN client and server but on different machines. I was able to bring up about 200 VPN connections on the client. All the clients could talk to the internet and things looked fine.
Bit I see that after some time even though I have script that is generating traffic constantly, all or some of the tunnels just vanish. Can someone please provide an insight? ******************** *CLIENT config:* My ipsec.conf on client side is blank. */etc/strongswan.conf:* charon { # load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke dh_exponent_ansi_x9_42 = no reuse_ikesa = no threads = 32 # install_routes=no plugins { load-tester { # enable the plugin enable = yes # 10000 connections, ten in parallel initiators = 10 iterations = 1 # use a delay of 100ms, overall time is: iterations * delay = 100s delay = 100 # address of the gateway (releases before 5.0.2 used the "remote" keyword!) responder = 10.101.248.152 # IKE-proposal to use proposal = aes128-sha1-modp2048 esp = aes128-sha1 # use faster PSK authentication instead of 1024bit RSA initiator_auth = pubkey|xauth responder_auth = pubkey # request a virtual IP using configuration payloads request_virtual_ip = yes # disable IKE_SA rekeying (default) ike_rekey = 0 # enable CHILD_SA every 60s child_rekey = 60 initiator_id = "CN=conn%dround%d" initiator_match = * responder_id="C=CH, O=strongSwan, CN=vpntest.x.com" issuer_cert = /etc/ipsec.d/cacerts/caCert.pem issuer_key = /home/mbangad/caKey.pem # do not delete the IKE_SA after it has been established (default) delete_after_established = no # do not shut down the daemon if all IKE_SAs established shutdown_when_complete = no version=1 initiator_tsr = 0.0.0.0/0 } } } ******************** ********************* *Server * *ipsec.conf:* # ipsec.conf - strongSwan IPsec configuration file config setup # ipsec.conf - strongSwan IPsec configuration file conn %default ikelifetime=60m conn ios keyexchange=ikev1 fragmentation=yes left=10.101.248.152 leftcert=serverCert.pem leftsubnet=0.0.0.0/0 leftfirewall=yes right=%any rightsourceip=10.10.3.0/24 rightauth=pubkey rightauth2=xauth-radius eap_identity=%identity auto=add mobike=yes *strongswan.conf:* strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { # load_modular = yes dns1=8.8.8.8 dos_protection = no threads = 32 # Two defined file loggers. Each subsection is either a file # in the filesystem or one of: stdout, stderr. filelog { /var/log/charon.log { # add a timestamp prefix time_format = %b %e %T # loggers to files also accept the append option to open files in # append mode at startup (default is yes) append = no # the default loglevel for all daemon subsystems (defaults to 1). default = 1 # flush each line to disk flush_line = yes ike_name = yes } } #Radius Plugin plugins { eap-radius { accounting = yes servers { server-a { address = 127.0.0.1 secret = testing123 } server-b { address = 10.101.248.152 secret = testing123 } } } } } ********************************* thanks, M
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users