Hi All, I am using the load tester plugin (strongswan 5.0.4) to create thousands of IPsec tunnels. I find, the tunnel setup rate is to be 125-130 tunnels per second. To use the ECDH (foe enhanced setup rate), I built the strongswan with. /configure --prefix /usr --sysconfdir=/etc --enable-openssl –disable-gmp – option. I think, these DH groups are available with strongSwan if enabled with the openssl plugin. I have configured the following IPsec transform sets as follows In conn %default section of Ipsec.conf (IKE Responder) ike=aes128-sha1-ecp192! In load-tester section of strongswan.conf (IKE Initiator) proposal = aes128-sha1-ecp192 But when trying to run from console (using #ipsec start –nofork), the following error message is appeared at IKE initiator end "09[MGR] <load-test|1> tried to check-in and delete nonexisting IKE_SA" Thereafter I checked the List of registered IKE algorithms and DH group using #ipsec listalgs and found the followings List of registered IKE algorithms: dh-group: MODP_2048[openssl] MODP_2048_224[openssl] MODP_2048_256[openssl] MODP_1536[openssl] MODP_3072[openssl] MODP_4096[openssl] MODP_6144[openssl] MODP_8192[openssl] MODP_1024[openssl] MODP_1024_160[openssl] MODP_768[openssl] MODP_CUSTOM[openssl] MODP_NULL[load-tester] random-gen: RNG_STRONG[random] RNG_TRUE[random] RNG_WEAK[openssl] nonce-gen: [nonce] Similarly checked the SSL ciphers supported via OpenSSL> ciphers command but did not find the elliptic curve Diffie-Hellman group. I am using the Fedora Linux (2.6.33.3-85.fc13.i686) and the version of OpenSSL is 1.0.0d-fips 8 Feb 2011 . Can anyone please suggest how to enable the Elliptic curve Diffie–Hellman in openSSL? Please correct me if I am not in right track. Please feel free to let me know if I have missed anything. Thanks in advance for your support and response. Regards, Chinmaya
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
