charon.plugins.load-tester {}
Section to configure the load-tester plugin, see LOAD TESTS in
- **strongswan.conf**(5)
+ **strongswan.conf**(5) for details.
+charon.plugins.load-tester.addrs {}
+ Section that contains key/value pairs with address pools (in CIDR notation)
+ to use for a specific network interface e.g. eth0 = 10.10.0.0/16.
+
+charon.plugins.load-tester.addrs_keep = no
+ Whether to keep dynamic addresses even after the associated SA got
+ terminated.
+
+charon.plugins.load-tester.addrs_prefix = 16
+ Network prefix length to use when installing dynamic addresses.
+ If set to -1 the full address is used (i.e. 32 or 128).
+
+charon.plugins.load-tester.ca_dir =
+ Directory to load (intermediate) CA certificates from.
+
+charon.plugins.load-tester.child_rekey = 600
+ Seconds to start CHILD_SA rekeying after setup.
+
+charon.plugins.load-tester.delay = 0
+ Delay between initiatons for each thread.
+
+charon.plugins.load-tester.delete_after_established = no
+ Delete an IKE_SA as soon as it has been established.
+
+charon.plugins.load-tester.digest = sha1
+ Digest algorithm used when issuing certificates.
+
+charon.plugins.load-tester.dpd_delay = 0
+ DPD delay to use in load test.
+
+charon.plugins.load-tester.dynamic_port = 0
+ Base port to be used for requests (each client uses a different port).
+
+charon.plugins.load-tester.eap_password = default-pwd
+ EAP secret to use in load test.
+
+charon.plugins.load-tester.enable = no
+ Enable the load testing plugin. **WARNING**: Never enable this plugin on
+ productive systems. It provides preconfigured credentials and allows an
+ attacker to authenticate as any user.
+
+charon.plugins.load-tester.esp = aes128-sha1
+ CHILD_SA proposal to use for load tests.
+
+charon.plugins.load-tester.fake_kernel = no
+ Fake the kernel interface to allow load-testing against self.
+
+charon.plugins.load-tester.ike_rekey = 0
+ Seconds to start IKE_SA rekeying after setup.
+
+charon.plugins.load-tester.init_limit = 0
+ Global limit of concurrently established SAs during load test.
+
+charon.plugins.load-tester.initiator = 0.0.0.0
+ Address to initiate from.
+
+charon.plugins.load-tester.initiators = 0
+ Number of concurrent initiator threads to use in load test.
+
+charon.plugins.load-tester.initiator_auth = pubkey
+ Authentication method(s) the intiator uses.
+
+charon.plugins.load-tester.initiator_id =
+ Initiator ID used in load test.
+
+charon.plugins.load-tester.initiator_match =
+ Initiator ID to match against as responder.
+
+charon.plugins.load-tester.initiator_tsi =
+ Traffic selector on initiator side, as proposed by initiator.
+
+charon.plugins.load-tester.initiator_tsr =
+ Traffic selector on responder side, as proposed by initiator.
+
+charon.plugins.load-tester.iterations = 1
+ Number of IKE_SAs to initiate by each initiator in load test.
+
+charon.plugins.load-tester.issuer_cert =
+ Path to the issuer certificate (if not configured a hard-coded default value
+ is used).
+
+charon.plugins.load-tester.issuer_key =
+ Path to private key that is used to issue certificates (if not configured a
+ hard-coded default value is used).
+
+charon.plugins.load-tester.mode = tunnel
+ IPsec mode to use, one of _tunnel_, _transport_, or _beet_.
+
+charon.plugins.load-tester.pool =
+ Provide INTERNAL_IPV4_ADDRs from a named pool.
+
+charon.plugins.load-tester.preshared_key = <default-psk>
+ Preshared key to use in load test.
+
+charon.plugins.load-tester.proposal = aes128-sha1-modp768
+ IKE proposal to use in load test.
+
+charon.plugins.load-tester.responder = 127.0.0.1
+ Address to initiation connections to.
+
+charon.plugins.load-tester.responder_auth = pubkey
+ Authentication method(s) the responder uses.
+
+charon.plugins.load-tester.responder_id =
+ Responder ID used in load test.
+
+charon.plugins.load-tester.responder_tsi = initiator_tsi
+ Traffic selector on initiator side, as narrowed by responder.
+
+charon.plugins.load-tester.responder_tsr = initiator_tsr
+ Traffic selector on responder side, as narrowed by responder.
+
+charon.plugins.load-tester.request_virtual_ip = no
+ Request an INTERNAL_IPV4_ADDR from the server.
+
+charon.plugins.load-tester.shutdown_when_complete = no
+ Shutdown the daemon after all IKE_SAs have been established.
+
+charon.plugins.load-tester.socket = unix://${piddir}/charon.ldt
+ Socket provided by the load-tester plugin.
+
+charon.plugins.load-tester.version = 0
+ IKE version to use (0 means use IKEv2 as initiator and accept any version as
+ responder).
it within 30 seconds. Under high load, a higher value might be required.
.SH LOAD TESTS
-To do stability testing and performance optimizations, the IKEv2 daemon charon
-provides the load-tester plugin. This plugin allows one to setup thousands of
-tunnels concurrently against the daemon itself or a remote host.
+To do stability testing and performance optimizations, the IKE daemon charon
+provides the \fIload-tester\fR plugin. This plugin allows one to setup thousands
+of tunnels concurrently against the daemon itself or a remote host.
.PP
.B WARNING:
Never enable the load-testing plugin on productive systems. It provides
preconfigured credentials and allows an attacker to authenticate as any user.
-.SS Options
-.TP
-.BR charon.plugins.load-tester.addrs
-Subsection that contains key/value pairs with address pools (in CIDR notation)
-to use for a specific network interface e.g. eth0 = 10.10.0.0/16
-.TP
-.BR charon.plugins.load-tester.addrs_keep " [no]"
-Whether to keep dynamic addresses even after the associated SA got terminated
-.TP
-.BR charon.plugins.load-tester.addrs_prefix " [16]"
-Network prefix length to use when installing dynamic addresses. If set to -1 the
-full address is used (i.e. 32 or 128)
-.TP
-.BR charon.plugins.load-tester.ca_dir
-Directory to load (intermediate) CA certificates from
-.TP
-.BR charon.plugins.load-tester.child_rekey " [600]"
-Seconds to start CHILD_SA rekeying after setup
-.TP
-.BR charon.plugins.load-tester.delay " [0]"
-Delay between initiatons for each thread
-.TP
-.BR charon.plugins.load-tester.delete_after_established " [no]"
-Delete an IKE_SA as soon as it has been established
-.TP
-.BR charon.plugins.load-tester.digest " [sha1]"
-Digest algorithm used when issuing certificates
-.TP
-.BR charon.plugins.load-tester.dpd_delay " [0]"
-DPD delay to use in load test
-.TP
-.BR charon.plugins.load-tester.dynamic_port " [0]"
-Base port to be used for requests (each client uses a different port)
-.TP
-.BR charon.plugins.load-tester.eap_password " [default-pwd]"
-EAP secret to use in load test
-.TP
-.BR charon.plugins.load-tester.enable " [no]"
-Enable the load testing plugin
-.TP
-.BR charon.plugins.load-tester.esp " [aes128-sha1]"
-CHILD_SA proposal to use for load tests
-.TP
-.BR charon.plugins.load-tester.fake_kernel " [no]"
-Fake the kernel interface to allow load-testing against self
-.TP
-.BR charon.plugins.load-tester.ike_rekey " [0]"
-Seconds to start IKE_SA rekeying after setup
-.TP
-.BR charon.plugins.load-tester.init_limit " [0]"
-Global limit of concurrently established SAs during load test
-.TP
-.BR charon.plugins.load-tester.initiator " [0.0.0.0]"
-Address to initiate from
-.TP
-.BR charon.plugins.load-tester.initiators " [0]"
-Number of concurrent initiator threads to use in load test
-.TP
-.BR charon.plugins.load-tester.initiator_auth " [pubkey]"
-Authentication method(s) the intiator uses
-.TP
-.BR charon.plugins.load-tester.initiator_id
-Initiator ID used in load test
-.TP
-.BR charon.plugins.load-tester.initiator_match
-Initiator ID to match against as responder
-.TP
-.BR charon.plugins.load-tester.initiator_tsi
-Traffic selector on initiator side, as proposed by initiator
-.TP
-.BR charon.plugins.load-tester.initiator_tsr
-Traffic selector on responder side, as proposed by initiator
-.TP
-.BR charon.plugins.load-tester.iterations " [1]"
-Number of IKE_SAs to initiate by each initiator in load test
-.TP
-.BR charon.plugins.load-tester.issuer_cert
-Path to the issuer certificate (if not configured a hard-coded value is used)
-.TP
-.BR charon.plugins.load-tester.issuer_key
-Path to private key that is used to issue certificates (if not configured a
-hard-coded value is used)
-.TP
-.BR charon.plugins.load-tester.mode " [tunnel]"
-IPsec mode to use, one of \fBtunnel\fR, \fBtransport\fR, or \fBbeet\fR.
-.TP
-.BR charon.plugins.load-tester.pool
-Provide INTERNAL_IPV4_ADDRs from a named pool
-.TP
-.BR charon.plugins.load-tester.preshared_key " [default-psk]"
-Preshared key to use in load test
-.TP
-.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]"
-IKE proposal to use in load test
-.TP
-.BR charon.plugins.load-tester.responder " [127.0.0.1]"
-Address to initiation connections to
-.TP
-.BR charon.plugins.load-tester.responder_auth " [pubkey]"
-Authentication method(s) the responder uses
-.TP
-.BR charon.plugins.load-tester.responder_id
-Responder ID used in load test
-.TP
-.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]"
-Traffic selector on initiator side, as narrowed by responder
-.TP
-.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]"
-Traffic selector on responder side, as narrowed by responder
-.TP
-.BR charon.plugins.load-tester.request_virtual_ip " [no]"
-Request an INTERNAL_IPV4_ADDR from the server
-.TP
-.BR charon.plugins.load-tester.shutdown_when_complete " [no]"
-Shutdown the daemon after all IKE_SAs have been established
-.TP
-.BR charon.plugins.load-tester.socket " [unix://@piddir@/charon.ldt]"
-Socket provided by the load-tester plugin
-.TP
-.BR charon.plugins.load-tester.version " [0]"
-IKE version to use (0 means use IKEv2 as initiator and accept any version as
-responder)
.PP
.SS Configuration details
For public key authentication, the responder uses the
in the form
.BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" ,
where the first number inidicates the client number, the second the
-authentication round (if multiple authentication is used).
+authentication round (if multiple authentication rounds are used).
.PP
For PSK authentication, FQDN identities are used. The server uses
.BR srv.strongswan.org ,
For EAP authentication, the client uses a NAI in the form
.BR 100000000010001@strongswan.org .
.PP
-To configure multiple authentication, concatenate multiple methods using, e.g.
+To configure multiple authentication rounds, concatenate multiple methods using,
+e.g.
.EX
initiator_auth = pubkey|psk|eap-md5|eap-aka
.EE
authenticate all clients.
.PP
To speed up testing, the load tester plugin implements a special Diffie-Hellman
-implementation called modpnull. By setting
+implementation called \fImodpnull\fR. By setting
.EX
proposal = aes128-sha1-modpnull
.EE
In the simplest case, the daemon initiates IKE_SAs against itself using the
loopback interface. This will actually establish double the number of IKE_SAs,
as the daemon is initiator and responder for each IKE_SA at the same time.
-Installation of IPsec SAs would fails, as each SA gets installed twice. To
+Installation of IPsec SAs would fail, as each SA gets installed twice. To
simulate the correct behavior, a fake kernel interface can be enabled which does
not install the IPsec SAs at the kernel level.
.PP
projects / thirdparty / strongswan.git / commitdiff
