Hello Martin, all Firstly, Thanks for all your help in using the load-tester plugin.
I finally set it up to work using pubkey/rsasig with the Certs provided in the file: http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c Used the self-signed cert as cacert.pem, initiator_cert.pem, responder_cert.pem and the rsa private key as initiator_key.pem and responder_key.pem and copied it to the folder locations in ./ipsec.d/.. respectively on both initiator and responder machines On the RW-Server machine, i used the following configs: ipsec.conf -------------- # /etc/ipsec.conf - strongSwan IPsec configuration file config setup strictcrlpolicy=no crlcheckinterval=180 plutostart=no charonstart=yes conn %default ikelifetime=60m keylife=30m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no conn rw-server left=172.17.10.10 leftsubnet=192.168.20.0/24 right=%any rightsourceip=10.3.0.0/16 leftid="CN=srv, OU=load-test, O=strongSwan" leftcert=respcert.pem authby=pubkey keyexchange=ikev2 type=tunnel auto=add # ipsec.secrets ------------------ : RSA responder_key.pem On the RW-Client-Simulator machine with Load-Tester Plugin enabled, i used the following configs: strongswan.conf ---------------------- charon { reuse_ikesa = no threads = 32 plugins { load-tester { # enable the plugin enable = yes # example: 10 connections, 5 in parallel initiators = 5 iterations = 2 # use a delay of 100ms, overall time is: iterations * delay = 100s delay = 100 # address of the gateway remote = 172.17.10.10 # IKE-proposal to use proposal = aes128-sha1-modp1024 # use faster PSK authentication instead of 1024bit RSA initiator_auth = pubkey responder_auth = pubkey # request a virtual IP using configuration payloads request_virtual_ip = yes # disable IKE_SA rekeying (default) ike_rekey = 0 # enable CHILD_SA every 60s child_rekey = 60 # do not delete the IKE_SA after it has been established (default) delete_after_established = no # do not shut down the daemon if all IKE_SAs established shutdown_when_complete = no } } } ------------------------------------- ipsec.secrets --------------------- : RSA initiator_key.pem - so now i have the required 10 IKEv2 tunnels between the 2 peers (and i tried without any issues with even 1000 tunnels too). so i guess it works with certs, but somehow i could not make it work with PSK (fqdn) - Although this load-test works, i would definitely want to know if i could make it to work for forming multiple child-SAs (ipsec esp SAs). What i now observe is as shown in the console traces attached. I have observed the following messages on the RW-Server which responds to the load-tester-plugin initiator: ---------------------------------------------------------- 22[IKE] received end entity cert "CN=c4-r1, OU=load-test, O=strongSwan" 22[CFG] looking for peer configs matching 172.17.10.10[CN=srv, OU=load-test, O=strongSwan]...172.17.10.20[CN=c4-r1, OU=load-test, O=strongSwan] 22[CFG] selected peer config 'rw-server' 22[CFG] using certificate "CN=c4-r1, OU=load-test, O=strongSwan" 22[CFG] using trusted ca certificate "CN=srv, OU=load-test, O=strongSwan" 22[CFG] checking certificate status of "CN=c4-r1, OU=load-test, O=strongSwan" 22[CFG] certificate status is not available 22[CFG] reached self-signed root ca with a path length of 0 22[IKE] authentication of 'CN=c4-r1, OU=load-test, O=strongSwan' with RSA signature successful 21[CFG] checking certificate status of "CN=c6-r1, OU=load-test, O=strongSwan" 21[CFG] certificate status is not available 21[CFG] reached self-signed root ca with a path length of 0 21[IKE] authentication of 'CN=c6-r1, OU=load-test, O=strongSwan' with RSA signature successful 21[IKE] authentication of 'CN=srv, OU=load-test, O=strongSwan' (myself) with RSA signature successful 21[IKE] IKE_SA rw-server[1] established between 172.17.10.10[CN=srv, OU=load-test, O=strongSwan]...172.17.10.20[CN=c6-r1, OU=load-test, O=strongSwan] 21[IKE] scheduling reauthentication in 3329s 21[IKE] maximum IKE_SA lifetime 3509s 21[IKE] peer requested virtual IP %any 21[CFG] assigning new lease to 'CN=c6-r1, OU=load-test, O=strongSwan' 21[IKE] assigning virtual IP 10.3.0.1 to peer 'CN=c6-r1, OU=load-test, O=strongSwan' 21[IKE] traffic selectors 172.17.10.10/32 === 0.0.0.0/0 inacceptable 21[ENC] generating IKE_AUTH response 1 [ IDr AUTH CP(ADDR) N(AUTH_LFT) N(TS_UNACCEPT) ] 21[NET] sending packet: from 172.17.10.10[500] to 172.17.10.20[500] 22[IKE] authentication of 'CN=srv, OU=load-test, O=strongSwan' (myself) with RSA signature successful 22[IKE] IKE_SA rw-server[3] established between 172.17.10.10[CN=srv, OU=load-test, O=strongSwan]...172.17.10.20[CN=c4-r1, OU=load-test, O=strongSwan] 22[IKE] scheduling reauthentication in 3385s 22[IKE] maximum IKE_SA lifetime 3565s 22[IKE] peer requested virtual IP %any 22[CFG] assigning new lease to 'CN=c4-r1, OU=load-test, O=strongSwan' 22[IKE] assigning virtual IP 10.3.0.2 to peer 'CN=c4-r1, OU=load-test, O=strongSwan' 22[IKE] traffic selectors 172.17.10.10/32 === 0.0.0.0/0 inacceptable 22[ENC] generating IKE_AUTH response 1 [ IDr AUTH CP(ADDR) N(AUTH_LFT) N(TS_UNACCEPT) ] 22[NET] sending packet: from 172.17.10.10[500] to 172.17.10.20[500] ---------------------------------------------------------------------------------------------------------- - will try to work more with the load-tester plugin and update if any new observations/issues thanks & regards rajiv On Tue, Aug 2, 2011 at 6:54 PM, Rajiv Kulkarni <[email protected]>wrote: > Hi > > One more followup info. On the m/c enabled with load-tester plugin and > simulating multiple rw-clients, i have the following strongswan.conf config > file: > > ----------------------------------------------------------------------------------- > # strongswan.conf - strongSwan configuration file > charon { > reuse_ikesa = no > # number of worker threads in charon > threads = 32 > # send strongswan vendor ID? > # send_vendor_id = yes > plugins { > sql { > # loglevel to log into sql database > loglevel = -1 > # URI to the database > # database = sqlite:///path/to/file.db > # database = mysql://user:password@localhost > /database > } > load-tester { > # enable the plugin > enable = yes > # 10000 connections, ten in parallel > initiators = 5 > iterations = 2 > > # use a delay of 100ms, overall time is: iterations * delay > = 100s > delay = 100 > # address of the gateway > remote = 172.17.10.10 > # IKE-proposal to use > proposal = aes128-sha1-modp1024 > # use faster PSK authentication instead of 1024bit RSA > initiator_auth = psk > responder_auth = psk > # request a virtual IP using configuration payloads > request_virtual_ip = yes > # disable IKE_SA rekeying (default) > ike_rekey = 0 > # enable CHILD_SA every 60s > child_rekey = 60 > # do not delete the IKE_SA after it has been established > (default) > delete_after_established = no > # do not shut down the daemon if all IKE_SAs established > shutdown_when_complete = no > } > > } > # ... > } > pluto { > } > libstrongswan { > # set to no, the DH exponent size is optimized > # dh_exponent_ansi_x9_42 = no > } > [root@dvtpc3 etc]# > [root@dvtpc3 etc]# > [root@dvtpc3 etc]# ipsec start > Starting strongSwan 4.5.2 IPsec [starter]... > [root@dvtpc3 etc]# > > > ---------------------------------------------------------------------------------- > > and on running th command > > [root@dvtpc3 etc]# ipsec start > [root@dvtpc3 etc]# ipsec statusall > 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2): > 000 interface lo/lo ::1:500 > 000 interface lo/lo 127.0.0.1:500 > 000 interface eth0/eth0 172.17.10.253:500 > 000 interface eth2/eth2 192.168.21.1:500 > 000 %myid = '%any' > 000 loaded plugins: aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem > openssl gmp hmac xauth attr kernel-netlink resolve > 000 debug options: none > 000 > Status of IKEv2 charon daemon (strongSwan 4.5.2): > uptime: 4 seconds, since Aug 02 18:49:59 2011 > malloc: sbrk 262144, mmap 0, used 92800, free 169344 > worker threads: 25 idle of 32, job queue load: 0, scheduled events: 20 > loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints > pubkey pkcs1 pgp pem openssl fips-prf gmp xcbc hmac attr load-tester > kernel-netlink resolve socket-raw stroke updown > Listening IP addresses: > 172.17.10.253 > 192.168.21.1 > Connections: > load-test: 0.0.0.0...172.17.10.10 > load-test: local: [srv.strongswan.org] uses pre-shared key > authentication > load-test: remote: [*.strongswan.org] uses pre-shared key > authentication > load-test: child: dynamic === dynamic > Security Associations: > none > [root@dvtpc3 etc]# > > so here it shows the local system with id as srv.strongswan.org, whereas > it is actually supposed to be a rw-client > > thanks & regards > rajiv > > > On Tue, Aug 2, 2011 at 6:25 PM, Rajiv Kulkarni > <[email protected]>wrote: > >> Hi >> >> >>The problem is not the secret, but that no config matches on your >> >>responder. "leftid" defaults to "left" (172.17.10.10), but actually is >> >>srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any. >> I did just that, i used leftid=%any on the rw-server. But when i start the >> ipsec (ipsec start --nofork) on the load-tester-plugin enabled m/c, i still >> get auth failed messages. >> >> Meanwhile on the server i get the following messages: >> >> ----------------------------------------------------------------------------- >> 28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500] >> 28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr >> N(MULT_AUTH) N(EAP_ONLY) ] >> 28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org >> ]...172.17.10.253[c6-r1.strongswan.org] >> 28[CFG] selected peer config 'rw-server' >> 28[IKE] tried 1 shared key for 'srv.strongswan.org' - ' >> c6-r1.strongswan.org', but MAC mismatched >> 28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] >> 28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500] >> 28[NET] received packet: from 172.17.10.253[500] to 172.17.10.10[500] >> 28[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH CP(ADDR DNS) SA TSi TSr >> N(MULT_AUTH) N(EAP_ONLY) ] >> 28[CFG] looking for peer configs matching 172.17.10.10[srv.strongswan.org >> ]...172.17.10.253[c6-r1.strongswan.org] >> 28[CFG] selected peer config 'rw-server' >> 28[IKE] tried 1 shared key for 'srv.strongswan.org' - ' >> c6-r1.strongswan.org', but MAC mismatched >> 28[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] >> 28[NET] sending packet: from 172.17.10.10[500] to 172.17.10.253[500] >> >> >> ------------------------------------------------------------------------------------------ >> >> - On the rw-server, iam using the following setting in the "ipsec.secrets" >> file >> : PSK "default-psk" >> >> - and the ipsec.conf on the rw-server m/c is as below: >> ------------------------------------------------------------------------- >> [root@dvtpc1 etc]# cat ipsec.conf >> # /etc/ipsec.conf - strongSwan IPsec configuration file >> config setup >> strictcrlpolicy=no >> crlcheckinterval=180 >> plutostart=yes >> charonstart=yes >> conn %default >> ikelifetime=60m >> keylife=30m >> rekeymargin=3m >> keyingtries=1 >> keyexchange=ikev2 >> mobike=no >> conn rw-server >> left=172.17.10.10 >> leftsubnet=192.168.20.0/24 >> leftid=%any >> >> right=%any >> rightsourceip=10.3.0.0/16 >> authby=psk >> >> keyexchange=ikev2 >> type=tunnel >> auto=add >> # >> -------------------------------------------- >> >> - both the rw-server (with ipaddr 172.17.10.10/24, DGw-IP: 172.17.10.253) >> and the rw-client (with load-tester-plugin enabled and with ipaddr >> 172.17.10.253/24, Dgw-ip: 172.17.10.10) are connected back-to-back and >> both are running strongswan4.5.2 on Linux-Fedora13. >> >> >> so where am i going wrong >> thanks & regards >> rajiv >> >> On Tue, Aug 2, 2011 at 1:09 PM, Martin Willi <[email protected]>wrote: >> >>> >>> >>> > 15[CFG] looking for peer configs matching 172.17.10.10[ >>> srv.strongswan.org]...172.17.10.253[c5-1.strongswan.org] >>> > 15[CFG] no matching peer config found >>> > 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] >>> >>> >>> > conn rw-server >>> > left=172.17.10.10 >>> > leftsubnet=192.168.20.0/24 >>> > right=%any >>> >>> The problem is not the secret, but that no config matches on your >>> responder. "leftid" defaults to "left" (172.17.10.10), but actually is >>> srv.strongswan.org. Try leftid=srv.strongswan.org, or even leftid=%any. >>> >>> Regards >>> Martin >>> >>> >>> >> >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
