Hello Noel Yes i agree, ideally and in production/live deployments of the IPSec-Gateways, we will need to use different/unique certificates for each tunnel that is established. But when you want to validate your IPSec-Gateway for multiple concurrent tunnels..say 1000 IKEv1/IKEv2-IPsec-tunnels.... and if you have to use certs for the IKE-auth, then it becomes very cumbersome to create 1000 certs (with different IDs, preferably certs with different subjectAltNames, etc)....so i generally test with 1 device-cert on each GW and set unique-ids=no and bring up all those tunnels as required
>>>Why do you want that many IKE_SAs? For throughput testing, you only need many CHILD_SAs You are right. We will use only IPsec-SAs/Child_SAs for thruput tests...But iam configuring with multiple IKE-SAs too for testing the Tunnels Capacity that the DUT (running Strongswan) can sustain (just as with using loadtester-plugin method...but here i get to tranfer continuous traffic too via each of the tunnels established) And also to run some tests to ascertain "tunnels/second", etc. Also if you have to get your platforms/DUT IPsec-Certified (by the Ipsec labs, etc)...as per their formula/standard..1 Ipsec tunnel = 1 IKE-SA-Pair+1 Child_SA-Pair thank you so much regards Rajiv On Tue, Jan 16, 2018 at 11:28 PM, Noel Kuntze < [email protected]> wrote: > Hi, > > > I agree with Certificates you will need to set "uniqueids=no"...and use > the same set of certs for each tunnel.. > > No, just use different certificates and different IDs. It's not any > different with PSKs, for example. > I already did that by scripting with python. > > Why do you want that many IKE_SAs? For throughput testing, you only need > many CHILD_SAs. > > Kind regards > > Noel > > On 15.01.2018 18:35, Rajiv Kulkarni wrote: > > Hi > > > > Actually it works when using PSK, without setting "uniqueids=no"..it > could continue to be the default ."uniqueids=yes" which is implicit..becos > you need each tunnel to have unique-ids for separation > > > > I agree with Certificates you will need to set "uniqueids=no"...and use > the same set of certs for each tunnel.. > > > > So say you have a setup as below: > > > > (multiple-subnets)-----(Lan)[GW1](Wan)====(Wan)[GW2](Lan)-- > ---(multiple-subnets) > > > > Note: Its imperative and must that you define the default-gw-ipaddress > (as the remote-gw wanipaddr) on each of the GW1 and GW2...eventhough they > maybe connected back-to-back and they maybe having ipaddresses in same > subnet... > > > > > > In my case i configured a 1000-tunnels (1 tunnel = 1 IKE-SA pair, 2 > IPsec-SA pairs), between GW1 and GW2 using the same single wanipaddress > > > > I did it successfully by ensuring that each connection-entry in the > ipsec.conf file has a unique-set of left/right-IDs and therefore a > corresponding set of PSK in the ipsec.secrets file > > > > I also successfully sent continuous traffic thru each of the 1000 > tunnels (infact i triggered the tunnels to get established by sending > traffic hitting each of the ipsec policies...) using tools like > spirentTC/ixia....start by sending about 100KB of traffic for each of the > subnet-pairs...and once all the tunnels are established..you may increase > the traffic load as per your setup requirements > > > > Please find attached the sample config files for both GW1 and GW2 for > the 1000-tunnels (please rename the files to ipsec.conf/ipsec.secrets on > the respective GWs) > > > > Hope this helps > > > > thanks & regards > > Rajiv > > > > > > On Thu, Jan 11, 2018 at 5:26 PM, Noel Kuntze > <[email protected] <mailto:noel.kuntze+ > [email protected]>> wrote: > > > > Hi, > > > > Set uniqueids = no in config setup. > > Better, use swanctl.conf with swanctl. There, you can set it per > conn and not globally. > > > > Kind regards > > > > Noel > > > > On 06.01.2018 01:15, Jun Hu wrote: > > > Hi, > > > Does strongswan support multiple IKE SA (each with its own > CHILD_SA) between single pair of address? > > > it seems strongswan only allow one IKE SA per pair of address > > > > > > I am using strongswan 5.5.0, inter-op with a IKEv2 client that I > wrote (for learning purpose) , my client is the tunnel initiator, when I > only creates one IKE SA (along with one CHILD_SA), everything is good; > > > but when my client try to create 2nd CHILD_SA (using IKE_SA_INIT > and IKE_AUTH exchange, not rekey) using same addresses,the 2nd IKE and > CHILD SA were created successfully at the beginning, but after a few > seconds, strongswan send a delete msg to delete the 1st IKE_SA > > > > > > I also tried to set charon.reuse_ikesa to no, but same result > > > > > > I checked strongswan logs, it doesn't say why it deletes 1st IKE > SA: > > > root@vm-svr:/usr/local/etc# ipsec status > > > Security Associations (2 up, 0 connecting): > > > l2l[2]: ESTABLISHED 9 seconds ago, > 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1] > > > l2l{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i > 3f174706_o > > > l2l{2}: 10.10.10.1/32 <http://10.10.10.1/32> < > http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> < > http://1.1.1.2/32> > > > l2l[1]: ESTABLISHED 19 seconds ago, > 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1] > > > l2l{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ca5a49fd_i > 617a4971_o > > > l2l{1}: 10.10.10.1/32 <http://10.10.10.1/32> < > http://10.10.10.1/32> === 1.1.1.1/32 <http://1.1.1.1/32> < > http://1.1.1.1/32> > > > root@vm-svr:/usr/local/etc# ipsec status > > > Security Associations (1 up, 0 connecting): > > > l2l[2]: ESTABLISHED 10 seconds ago, > 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1] > > > l2l{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c1aab5fc_i > 3f174706_o > > > l2l{2}: 10.10.10.1/32 <http://10.10.10.1/32> < > http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> < > http://1.1.1.2/32> > > > > > > > > > > > > part of the log: > > > ..... > > > Jan 5 15:50:21 06[MGR] <l2l|2> checkout IKEv2 SA with SPIs > 2c79130e38a24598_i c530ad0d0f1a47f0_r > > > Jan 5 15:50:21 06[MGR] <l2l|2> IKE_SA l2l[1] successfully checked > out > > > Jan 5 15:50:21 06[MGR] <l2l|1> checkin IKE_SA l2l[1] > > > Jan 5 15:50:21 06[MGR] <l2l|1> checkin of IKE_SA successful > > > Jan 5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] established between > 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1] > > > Jan 5 15:50:21 06[IKE] <l2l|2> IKE_SA l2l[2] state change: > CONNECTING => ESTABLISHED > > > Jan 5 15:50:21 06[IKE] <l2l|2> scheduling rekeying in 490s > > > Jan 5 15:50:21 06[IKE] <l2l|2> maximum IKE_SA lifetime 500s > > > Jan 5 15:50:21 06[KNL] <l2l|2> got SPI c1aab5fc > > > Jan 5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI c1aab5fc > and reqid {2} > > > Jan 5 15:50:21 06[KNL] <l2l|2> using encryption algorithm > AES_CBC with key size 128 > > > Jan 5 15:50:21 06[KNL] <l2l|2> using integrity algorithm > HMAC_SHA1_96 with key size 160 > > > Jan 5 15:50:21 06[KNL] <l2l|2> using replay window of 32 packets > > > Jan 5 15:50:21 06[KNL] <l2l|2> adding SAD entry with SPI 3f174706 > and reqid {2} > > > Jan 5 15:50:21 06[KNL] <l2l|2> using encryption algorithm > AES_CBC with key size 128 > > > Jan 5 15:50:21 06[KNL] <l2l|2> using integrity algorithm > HMAC_SHA1_96 with key size 160 > > > Jan 5 15:50:21 06[KNL] <l2l|2> using replay window of 0 packets > > > Jan 5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> out [priority 383616, refcount 1] > > > Jan 5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> in [priority 383616, > refcount 1] > > > Jan 5 15:50:21 06[KNL] <l2l|2> adding policy 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> fwd [priority 383616, > refcount 1] > > > Jan 5 15:50:21 06[KNL] <l2l|2> adding policy 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> fwd [priority 383616, refcount 1] > > > Jan 5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> out already exists, increasing > refcount > > > Jan 5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> out [priority 183616, refcount 2] > > > Jan 5 15:50:21 06[KNL] <l2l|2> getting a local address in traffic > selector 10.10.10.1/32 <http://10.10.10.1/32> <http://10.10.10.1/32> > > > Jan 5 15:50:21 06[KNL] <l2l|2> using host 10.10.10.1 > > > Jan 5 15:50:21 06[KNL] <l2l|2> getting iface name for index 4 > > > Jan 5 15:50:21 06[KNL] <l2l|2> using 10.10.10.20 as nexthop and > eth2 as dev to reach 10.10.10.20/32 <http://10.10.10.20/32> < > http://10.10.10.20/32> > > > Jan 5 15:50:21 06[KNL] <l2l|2> installing route: 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> via 10.10.10.20 src 10.10.10.1 dev > eth2 > > > Jan 5 15:50:21 06[KNL] <l2l|2> getting iface index for eth2 > > > Jan 5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> in already exists, > increasing refcount > > > Jan 5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> in [priority 183616, > refcount 2] > > > Jan 5 15:50:21 06[KNL] <l2l|2> policy 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> fwd already exists, > increasing refcount > > > Jan 5 15:50:21 06[KNL] <l2l|2> updating policy 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> === 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> fwd [priority 183616, > refcount 2] > > > Jan 5 15:50:21 06[KNL] <l2l|2> policy 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> fwd already exists, increasing > refcount > > > Jan 5 15:50:21 06[KNL] <l2l|2> updating policy 10.10.10.1/32 < > http://10.10.10.1/32> <http://10.10.10.1/32> === 1.1.1.2/32 < > http://1.1.1.2/32> <http://1.1.1.2/32> fwd [priority 283616, refcount 2] > > > Jan 5 15:50:21 06[IKE] <l2l|2> CHILD_SA l2l{2} established with > SPIs c1aab5fc_i 3f174706_o and TS 10.10.10.1/32 <http://10.10.10.1/32> < > http://10.10.10.1/32> === 1.1.1.2/32 <http://1.1.1.2/32> < > http://1.1.1.2/32> > > > Jan 5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI > c1aab5fc > > > Jan 5 15:50:21 06[KNL] <l2l|2> querying SAD entry with SPI > 3f174706 > > > Jan 5 15:50:21 06[KNL] <l2l|2> 10.10.10.1 is on interface eth2 > > > Jan 5 15:50:21 06[ENC] <l2l|2> generating IKE_AUTH response 1 [ > IDr AUTH SA TSi TSr ] > > > Jan 5 15:50:21 06[NET] <l2l|2> sending packet: from > 10.10.10.1[500] to 10.10.10.20[500] (204 bytes) > > > Jan 5 15:50:21 06[MGR] <l2l|2> checkin IKE_SA l2l[2] > > > Jan 5 15:50:21 06[MGR] <l2l|2> checkin of IKE_SA successful > > > Jan 5 15:50:31 05[MGR] checkout IKEv2 SA with SPIs > 2c79130e38a24598_i c530ad0d0f1a47f0_r > > > Jan 5 15:50:31 05[MGR] IKE_SA l2l[1] successfully checked out > > > Jan 5 15:50:31 05[IKE] <l2l|1> queueing IKE_DELETE task > > > Jan 5 15:50:31 05[IKE] <l2l|1> activating new tasks > > > Jan 5 15:50:31 05[IKE] <l2l|1> activating IKE_DELETE task > > > Jan 5 15:50:31 05[IKE] <l2l|1> deleting IKE_SA l2l[1] between > 10.10.10.1[10.10.10.1]...10.10.10.20[1.1.1.1] > > > Jan 5 15:50:31 05[IKE] <l2l|1> IKE_SA l2l[1] state change: > ESTABLISHED => DELETING > > > Jan 5 15:50:31 05[IKE] <l2l|1> sending DELETE for IKE_SA l2l[1] > > > Jan 5 15:50:31 05[ENC] <l2l|1> generating INFORMATIONAL request 0 > [ D ] > > > Jan 5 15:50:31 05[NET] <l2l|1> sending packet: from > 10.10.10.1[500] to 10.10.10.20[500] (76 bytes) > > > Jan 5 15:50:31 05[MGR] <l2l|1> checkin IKE_SA l2l[1] > > > Jan 5 15:50:31 05[MGR] <l2l|1> checkin of IKE_SA successful > > > Jan 5 15:50:31 13[MGR] checkout IKEv2 SA by message with SPIs > 2c79130e38a24598_i c530ad0d0f1a47f0_r > > > Jan 5 15:50:31 13[MGR] IKE_SA l2l[1] successfully checked out > > > > > > ===ipsec.conf=== > > > conn %default > > > keyexchange=ikev2 > > > mobike = no > > > reauth=no > > > > > > conn l2l > > > ikelifetime=500s > > > margintime=10s > > > rekeyfuzz=0% > > > ike=aes128-sha1-modp2048! > > > esp=aes128-sha1 > > > authby=psk > > > leftfirewall=yes > > > rightsubnet=1.0.0.0/8 <http://1.0.0.0/8> <http://1.0.0.0/8> > > > auto=add > > > > > > > > > > > >
