Hi I need some help from you all on the following issue:
1. I have a setup using Racoon (ikev1 only) between 2 Peer Gws (Linux servers) and i needed to have about 1000 ipsec tunnels between them (i.e it would come to 2000 ipsec/esp SAs with 1 IKE SA between the peer gws). I did this using the following script for the setkey policy files on the initiator and the responder gw ------------------------------------------------------------ #! /bin/sh echo "#!/usr/sbin/setkey -f" >> initracoon1000 echo "flush;" >> initracoon1000 echo "spdflush;" >> initracoon1000 echo "#!/usr/sbin/setkey -f" >> respracoon1000 echo "flush;" >> respracoon1000 echo "spdflush;" >> respracoon1000 for ((i=1;i<5;i++)) do for ((j=3;j<255;j++)) do echo "spdadd 192.168.1.2/32 172.20.$i.$j/32 any -P out ipsec esp/tunnel/1.1.1.1-1.1.1.2/unique;" >> initracoon1000 echo "spdadd 172.20.$i.$j/32 192.168.1.2/32 any -P in ipsec esp/tunnel/1.1.1.2-1.1.1.1/unique;" >> initracoon1000 echo "spdadd 192.168.1.2/32 172.20.$i.$j/32 any -P in ipsec esp/tunnel/1.1.1.1-1.1.1.2/unique;" >> respracoon1000 echo "spdadd 172.20.$i.$j/32 192.168.1.2/32 any -P out ipsec esp/tunnel/1.1.1.2-1.1.1.1/unique;" >> respracoon1000 done done --------------------------------------------------------------------- The above is somewhat a crude attempt to generate 1000 ipsec SAs. I used spirent testcenter to simulate the multiple protected hosts behind the 2 ipsec/ike peer gws. But with racoon/setkey combo i see that it works somewhat. I am able to reach the targetted 1000 tunnels 2). So my question and the request for help is: How to do the above scenario using Strongswan? - do i script each "conn tunnel-sa1" so that i will have a ipsec.conf file with 1 default conn entry (which will be used for the ike sa) and about 1000 additional conn entries between each pair of 1000 hosts behind the ipsec peer gws? - is there a better way and a simple and elegant way to simulate 1000 tunnels (2000 SAs)? - i am interested in using IKEv2 only - is there a keyword to use in strongswan ipsec config similar to "unique" in racoon/setkey, which would trigger a new ipsec SA? thanks Rajiv
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
