Hi why dont't you try the below steps (it worked for me):
1. you will need to first access the following link http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c and then - copy the RSA private-key into 2 files and name them "initiator_key.pem" and "responder_key.pem" - copy the self-signed cert into 3 files and name them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem" ----------------------------------------------------------------------------------------------- On the Initiator GW/PC/Machine (enabled with the LoadTester-Plugim) ------------------------------------------------------------------- - Please note that the load-tester plugin can only act in and as a road-warrior-client simulator mode. So you should be enabling the load-tester plugin on only the initiator linux-machine running the strongswan package - The ipsec.conf file on this initiator is NEVER used or NOT required just comment out all config statments - copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder - in the ipsec.secrets file, include the statement : RSA initiator_key.pem - The strongswan.conf file should be as below: ------------------------------------------ charon { reuse_ikesa = no threads = 32 plugins { load-tester { # enable the plugin enable = yes # example: 10 connections, 5 in parallel initiators = 5 iterations = 2 # use a delay of 100ms, overall time is: iterations * delay = 100s delay = 100 # address of the gateway remote = 172.17.10.10 # IKE-proposal to use proposal = aes128-sha1-modp1024 # use faster PSK authentication instead of 1024bit RSA initiator_auth = pubkey responder_auth = pubkey # request a virtual IP using configuration payloads request_virtual_ip = yes # disable IKE_SA rekeying (default) ike_rekey = 0 # enable CHILD_SA every 60s child_rekey = 60 # do not delete the IKE_SA after it has been established (default) delete_after_established = no # do not shut down the daemon if all IKE_SAs established shutdown_when_complete = no } } } ----------------------------------------------------------- On the Responder GW/PC/Machine ****************************** - do not enable load-tester plugin here. just configure this machine as a Road-Warrior-VPN-Server - the ipsec.conf file shoule be as below: # /etc/ipsec.conf - strongSwan IPsec configuration file config setup strictcrlpolicy=no crlcheckinterval=180 plutostart=no charonstart=yes conn %default ikelifetime=60m keylife=30m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no conn rw-server left=172.17.10.10 leftsubnet=192.168.20.0/24 right=%any rightsourceip=10.3.0.0/16 leftid="CN=srv, OU=load-test, O=strongSwan" leftcert=respcert.pem authby=pubkey keyexchange=ikev2 type=tunnel auto=add # - copy the cacert.pem, responder_cert.pem and responder_key.pem to the respective locations under ipsec.d folder - The ipsec.secrets file should have an entry as below: : RSA responder_key.pem 2. That's it, now you start strongswan ipsec on both initiator and responder (first on this) using "ipsec start" or "ipsec start --nofork" - you will see that as configured in the strongswan.conf, there will be 10 IKEv2 tunnels established, but ofcourse no ipsec SAs are established, as per design of the plugin - also, it did not work for me with PSK (using fqdn) as mentioned in the link below: http://wiki.strongswan.org/projects/strongswan/wiki/LoadTests --------------------------------------------------------------------------------------------------------------------- As far as i understand, there is no need to create another set of certs, crl, etc.. regards rajiv PS: Just as an aside info and not really used for above setup, your steps to create the required certs are wrong. Use the below instead, if you really want to: ----------------------------- for a new root-ca: 1. openssl req -new -x509 -config /etc/ssl/openssl.cnf -newkey rsa:1024 -keyout private/cakey.pem -days 3650 -out cacert.pem for generating a new-device cert1: 2. openssl req -new -config /etc/ssl/openssl.cnf -nodes -newkey rsa:1024 -keyout private/host1key.pem -days 730 -out host1CSR.pem for cert sign by the above root-CA: 3. openssl ca -config /etc/ssl/openssl.cnf -policy policy_anything -out certs/host1cert.pem -infiles host1CSR.pem now you will need to copy the cacert.pem, host1cert.pem and host1key.pem to the respective locations for strongswan configuration. create another set of host2cert and host2key for the remote host to use for subjectAltname, it is initiatlly a long procedure to configure openssl.cnf each time for each device cert to include the subjectaltname... -------------------------------********************************************------------------------------- On Thu, Apr 12, 2012 at 4:34 PM, Narendra K A <[email protected]> wrote: > Hi Everyone, > > I am using strongswan load tester to load my server. I am trying with > option initiator_auth=pubkey in strongswan.conf file. Currently i am trying > to use the certificate present in the strongswan load_tester_creds.c file. > These are the steps am following. > > 1. Copy the certificate in the load_tester_creds.c file to CACERT.pem, and > place it in /etc/ipsec.d/cacerts/ directory and also in /etc/ipsec.d/certs/ > directory as initiator_cert.pem file. > > 2. Copy the private key in the load_tester_creds.c file to PRIKEY.pem and > place it in /etc/ipsec.d/private/ directory > > 3. Alter the content of /etc/ipsec.secrets file as : RSA PRIKEY.pem > > 4. Create a CSR from the server and sign it with the strongswan CACERT.pem > and PRIKEY.pem with the following command > *openssl x509 -req -days 365 -in srv.csr -CA CACERT.pem -CAkey > PRIKEY.pem -set_serial 01 -out ServCert.pem* > > 5. Now, create a CRL withe the following command > * openssl ca -gencrl -keyfile PRIVKEY.pem -cert CACERT.pem -out > strcrl.pem -crldays 30* > > *6. Now IMPORT all the CACERT.pem, ServCert.pem and strcrl.pem on to the > server. * > > 7. Initiate the command ipsec start from the client. > > After doing all these My server is telling *Certificate not found. !!!!!* > > Also, CSR of the server contains a subjectAltName, but when i extracted > the information *(openssl x509 -text -in ca-cer.pem)* from the strongswan > certificate *IT WAS NOT HAVING* subjectAltName. > > Can i somehow add subjectAltName to strongswan certificate ? or can i > create a CSR from strongswan side ? > > Also i enabled the detailed logs in ipsec.conf, i can see NO ERRORS in the > log, but after IKE_SA_INIT, i can see strongswan is sending IKE_AUTH (5 > times since retransmit_tries=5 ) and telling peer not responding. In the > server side it is telling Certificate not found !!. > > Please help me to solve this problem. > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
