From: Tobias Brunner Date: Thu, 6 Feb 2014 15:00:20 +0000 (+0100) Subject: conf: Move load-tester options to plugin specific file X-Git-Tag: 5.1.2rc1~7^2~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc380b175d56085852875b450303468d2839e9be;p=thirdparty%2Fstrongswan.git conf: Move load-tester options to plugin specific file --- diff --git a/conf/plugins/load-tester.opt b/conf/plugins/load-tester.opt index 6f6cbafc35..7afe326185 100644 --- a/conf/plugins/load-tester.opt +++ b/conf/plugins/load-tester.opt @@ -1,4 +1,128 @@ charon.plugins.load-tester {} Section to configure the load-tester plugin, see LOAD TESTS in - **strongswan.conf**(5) + **strongswan.conf**(5) for details. +charon.plugins.load-tester.addrs {} + Section that contains key/value pairs with address pools (in CIDR notation) + to use for a specific network interface e.g. eth0 = 10.10.0.0/16. + +charon.plugins.load-tester.addrs_keep = no + Whether to keep dynamic addresses even after the associated SA got + terminated. + +charon.plugins.load-tester.addrs_prefix = 16 + Network prefix length to use when installing dynamic addresses. + If set to -1 the full address is used (i.e. 32 or 128). + +charon.plugins.load-tester.ca_dir = + Directory to load (intermediate) CA certificates from. + +charon.plugins.load-tester.child_rekey = 600 + Seconds to start CHILD_SA rekeying after setup. + +charon.plugins.load-tester.delay = 0 + Delay between initiatons for each thread. + +charon.plugins.load-tester.delete_after_established = no + Delete an IKE_SA as soon as it has been established. + +charon.plugins.load-tester.digest = sha1 + Digest algorithm used when issuing certificates. + +charon.plugins.load-tester.dpd_delay = 0 + DPD delay to use in load test. + +charon.plugins.load-tester.dynamic_port = 0 + Base port to be used for requests (each client uses a different port). + +charon.plugins.load-tester.eap_password = default-pwd + EAP secret to use in load test. + +charon.plugins.load-tester.enable = no + Enable the load testing plugin. **WARNING**: Never enable this plugin on + productive systems. It provides preconfigured credentials and allows an + attacker to authenticate as any user. + +charon.plugins.load-tester.esp = aes128-sha1 + CHILD_SA proposal to use for load tests. + +charon.plugins.load-tester.fake_kernel = no + Fake the kernel interface to allow load-testing against self. + +charon.plugins.load-tester.ike_rekey = 0 + Seconds to start IKE_SA rekeying after setup. + +charon.plugins.load-tester.init_limit = 0 + Global limit of concurrently established SAs during load test. + +charon.plugins.load-tester.initiator = 0.0.0.0 + Address to initiate from. + +charon.plugins.load-tester.initiators = 0 + Number of concurrent initiator threads to use in load test. + +charon.plugins.load-tester.initiator_auth = pubkey + Authentication method(s) the intiator uses. + +charon.plugins.load-tester.initiator_id = + Initiator ID used in load test. + +charon.plugins.load-tester.initiator_match = + Initiator ID to match against as responder. + +charon.plugins.load-tester.initiator_tsi = + Traffic selector on initiator side, as proposed by initiator. + +charon.plugins.load-tester.initiator_tsr = + Traffic selector on responder side, as proposed by initiator. + +charon.plugins.load-tester.iterations = 1 + Number of IKE_SAs to initiate by each initiator in load test. + +charon.plugins.load-tester.issuer_cert = + Path to the issuer certificate (if not configured a hard-coded default value + is used). + +charon.plugins.load-tester.issuer_key = + Path to private key that is used to issue certificates (if not configured a + hard-coded default value is used). + +charon.plugins.load-tester.mode = tunnel + IPsec mode to use, one of _tunnel_, _transport_, or _beet_. + +charon.plugins.load-tester.pool = + Provide INTERNAL_IPV4_ADDRs from a named pool. + +charon.plugins.load-tester.preshared_key = + Preshared key to use in load test. + +charon.plugins.load-tester.proposal = aes128-sha1-modp768 + IKE proposal to use in load test. + +charon.plugins.load-tester.responder = 127.0.0.1 + Address to initiation connections to. + +charon.plugins.load-tester.responder_auth = pubkey + Authentication method(s) the responder uses. + +charon.plugins.load-tester.responder_id = + Responder ID used in load test. + +charon.plugins.load-tester.responder_tsi = initiator_tsi + Traffic selector on initiator side, as narrowed by responder. + +charon.plugins.load-tester.responder_tsr = initiator_tsr + Traffic selector on responder side, as narrowed by responder. + +charon.plugins.load-tester.request_virtual_ip = no + Request an INTERNAL_IPV4_ADDR from the server. + +charon.plugins.load-tester.shutdown_when_complete = no + Shutdown the daemon after all IKE_SAs have been established. + +charon.plugins.load-tester.socket = unix://${piddir}/charon.ldt + Socket provided by the load-tester plugin. + +charon.plugins.load-tester.version = 0 + IKE version to use (0 means use IKEv2 as initiator and accept any version as + responder). diff --git a/conf/strongswan.conf.5.tail.in b/conf/strongswan.conf.5.tail.in index 8470120bcb..971dab7f1c 100644 --- a/conf/strongswan.conf.5.tail.in +++ b/conf/strongswan.conf.5.tail.in @@ -276,135 +276,13 @@ A responder, by default, deletes an IKE_SA if the initiator does not establish it within 30 seconds. Under high load, a higher value might be required. .SH LOAD TESTS -To do stability testing and performance optimizations, the IKEv2 daemon charon -provides the load-tester plugin. This plugin allows one to setup thousands of -tunnels concurrently against the daemon itself or a remote host. +To do stability testing and performance optimizations, the IKE daemon charon +provides the \fIload-tester\fR plugin. This plugin allows one to setup thousands +of tunnels concurrently against the daemon itself or a remote host. .PP .B WARNING: Never enable the load-testing plugin on productive systems. It provides preconfigured credentials and allows an attacker to authenticate as any user. -.SS Options -.TP -.BR charon.plugins.load-tester.addrs -Subsection that contains key/value pairs with address pools (in CIDR notation) -to use for a specific network interface e.g. eth0 = 10.10.0.0/16 -.TP -.BR charon.plugins.load-tester.addrs_keep " [no]" -Whether to keep dynamic addresses even after the associated SA got terminated -.TP -.BR charon.plugins.load-tester.addrs_prefix " [16]" -Network prefix length to use when installing dynamic addresses. If set to -1 the -full address is used (i.e. 32 or 128) -.TP -.BR charon.plugins.load-tester.ca_dir -Directory to load (intermediate) CA certificates from -.TP -.BR charon.plugins.load-tester.child_rekey " [600]" -Seconds to start CHILD_SA rekeying after setup -.TP -.BR charon.plugins.load-tester.delay " [0]" -Delay between initiatons for each thread -.TP -.BR charon.plugins.load-tester.delete_after_established " [no]" -Delete an IKE_SA as soon as it has been established -.TP -.BR charon.plugins.load-tester.digest " [sha1]" -Digest algorithm used when issuing certificates -.TP -.BR charon.plugins.load-tester.dpd_delay " [0]" -DPD delay to use in load test -.TP -.BR charon.plugins.load-tester.dynamic_port " [0]" -Base port to be used for requests (each client uses a different port) -.TP -.BR charon.plugins.load-tester.eap_password " [default-pwd]" -EAP secret to use in load test -.TP -.BR charon.plugins.load-tester.enable " [no]" -Enable the load testing plugin -.TP -.BR charon.plugins.load-tester.esp " [aes128-sha1]" -CHILD_SA proposal to use for load tests -.TP -.BR charon.plugins.load-tester.fake_kernel " [no]" -Fake the kernel interface to allow load-testing against self -.TP -.BR charon.plugins.load-tester.ike_rekey " [0]" -Seconds to start IKE_SA rekeying after setup -.TP -.BR charon.plugins.load-tester.init_limit " [0]" -Global limit of concurrently established SAs during load test -.TP -.BR charon.plugins.load-tester.initiator " [0.0.0.0]" -Address to initiate from -.TP -.BR charon.plugins.load-tester.initiators " [0]" -Number of concurrent initiator threads to use in load test -.TP -.BR charon.plugins.load-tester.initiator_auth " [pubkey]" -Authentication method(s) the intiator uses -.TP -.BR charon.plugins.load-tester.initiator_id -Initiator ID used in load test -.TP -.BR charon.plugins.load-tester.initiator_match -Initiator ID to match against as responder -.TP -.BR charon.plugins.load-tester.initiator_tsi -Traffic selector on initiator side, as proposed by initiator -.TP -.BR charon.plugins.load-tester.initiator_tsr -Traffic selector on responder side, as proposed by initiator -.TP -.BR charon.plugins.load-tester.iterations " [1]" -Number of IKE_SAs to initiate by each initiator in load test -.TP -.BR charon.plugins.load-tester.issuer_cert -Path to the issuer certificate (if not configured a hard-coded value is used) -.TP -.BR charon.plugins.load-tester.issuer_key -Path to private key that is used to issue certificates (if not configured a -hard-coded value is used) -.TP -.BR charon.plugins.load-tester.mode " [tunnel]" -IPsec mode to use, one of \fBtunnel\fR, \fBtransport\fR, or \fBbeet\fR. -.TP -.BR charon.plugins.load-tester.pool -Provide INTERNAL_IPV4_ADDRs from a named pool -.TP -.BR charon.plugins.load-tester.preshared_key " [default-psk]" -Preshared key to use in load test -.TP -.BR charon.plugins.load-tester.proposal " [aes128-sha1-modp768]" -IKE proposal to use in load test -.TP -.BR charon.plugins.load-tester.responder " [127.0.0.1]" -Address to initiation connections to -.TP -.BR charon.plugins.load-tester.responder_auth " [pubkey]" -Authentication method(s) the responder uses -.TP -.BR charon.plugins.load-tester.responder_id -Responder ID used in load test -.TP -.BR charon.plugins.load-tester.responder_tsi " [initiator_tsi]" -Traffic selector on initiator side, as narrowed by responder -.TP -.BR charon.plugins.load-tester.responder_tsr " [initiator_tsr]" -Traffic selector on responder side, as narrowed by responder -.TP -.BR charon.plugins.load-tester.request_virtual_ip " [no]" -Request an INTERNAL_IPV4_ADDR from the server -.TP -.BR charon.plugins.load-tester.shutdown_when_complete " [no]" -Shutdown the daemon after all IKE_SAs have been established -.TP -.BR charon.plugins.load-tester.socket " [unix://@piddir@/charon.ldt]" -Socket provided by the load-tester plugin -.TP -.BR charon.plugins.load-tester.version " [0]" -IKE version to use (0 means use IKEv2 as initiator and accept any version as -responder) .PP .SS Configuration details For public key authentication, the responder uses the @@ -413,7 +291,7 @@ identity. For the initiator, each connection attempt uses a different identity in the form .BR "\(dqCN=c1-r1, OU=load-test, O=strongSwan\(dq" , where the first number inidicates the client number, the second the -authentication round (if multiple authentication is used). +authentication round (if multiple authentication rounds are used). .PP For PSK authentication, FQDN identities are used. The server uses .BR srv.strongswan.org , @@ -423,7 +301,8 @@ the client uses an identity in the form For EAP authentication, the client uses a NAI in the form .BR 100000000010001@strongswan.org . .PP -To configure multiple authentication, concatenate multiple methods using, e.g. +To configure multiple authentication rounds, concatenate multiple methods using, +e.g. .EX initiator_auth = pubkey|psk|eap-md5|eap-aka .EE @@ -435,7 +314,7 @@ certificate. Install the Responder/CA certificate on the remote host to authenticate all clients. .PP To speed up testing, the load tester plugin implements a special Diffie-Hellman -implementation called modpnull. By setting +implementation called \fImodpnull\fR. By setting .EX proposal = aes128-sha1-modpnull .EE @@ -446,7 +325,7 @@ at all, but allows one to run tests without DH calculation overhead. In the simplest case, the daemon initiates IKE_SAs against itself using the loopback interface. This will actually establish double the number of IKE_SAs, as the daemon is initiator and responder for each IKE_SA at the same time. -Installation of IPsec SAs would fails, as each SA gets installed twice. To +Installation of IPsec SAs would fail, as each SA gets installed twice. To simulate the correct behavior, a fake kernel interface can be enabled which does not install the IPsec SAs at the kernel level. .PP