Mostly from this post on the mailing list: https://lists.strongswan.org/pipermail/users/2011-August/001966.html
1. you will need to first access the following link http://wiki.strongswan.org/projects/strongswan/repository/entry/src/libcharon/plugins/load_tester/load_tester_creds.c and then - copy the RSA private-key into 2 files and name them "initiator_key.pem" and "responder_key.pem" - copy the self-signed cert into 3 files and name them "cacert.pem", "initiator_cert.pem" and "responder_cert.pem" On the Initiator GW/PC/Machine -------------------------------- - Please note that the load-tester plugin can only act in and as a road-warrior- client simulator mode. So you should be enabling the load-tester plugin on only the initiator linux-machine running the strongswan package - The ipsec.conf file on this initiator is NEVER used or NOT required just comment out all config statments - copy the cacert.pem, initiator_cert.pem and the initiator_key.pem to the respective locations "cacerts", "certs" and "private" under .../ipsec.d/ folder - in the ipsec.secrets file, include the statement : RSA initiator_key.pem - The strongswan.conf file should be as below: ------------------------------------------ charon { reuse_ikesa = no threads = 32 plugins { load-tester { # enable the plugin enable = yes # example: 10 connections, 5 in parallel initiators = 5 iterations = 2 # use a delay of 100ms, overall time is: iterations * delay = 100s delay = 100 # address of the gateway responder = 45.79.64.19
load = yes
# IKE-proposal to use
proposal = aes128-sha1-modp2048
# use faster PSK authentication instead of 1024bit RSA
initiator_auth = pubkey
responder_auth = pubkey
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
# do not delete the IKE_SA after it has been established (default)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no
}
}
}
-----------------------------------------------------------
On the Responder GW/PC/Machine
******************************
- do not enable load-tester plugin here. just configure this machine as a Road-
Warrior-VPN-Server
- the ipsec.conf file should be as below:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
conn %default
ikelifetime=60m
keylife=30m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
conn rw-server
left=%defaultroute
leftcert=responder_cert.pem
right=%any
rightsourceip=10.3.0.0/16
authby=pubkey
keyexchange=ikev2
type=tunnel
auto=add
#
- copy the cacert.pem, responder_cert.pem and responder_key.pem to the
respective locations under ipsec.d folder
- The ipsec.secrets file should have an entry as below:
: RSA responder_key.pem
2. That's it, now you start strongswan ipsec on both initiator and responder
(first on this) using "ipsec start" or "ipsec start --nofork"
Use the following commands to examine the results:
ipsec status
ipsec statusall
ip route show route 220
ip -s xfrm state
ip -s xfrm policy
You may also want to know why if your strongswan is not logging at all:
http://tiebing.blogspot.com/2015/10/ubuntu-1404-strongswan-not-logging.html
No comments:
Post a Comment