Project

General

Profile

Load Tests » History » Version 2

« Previous - Version 2/23 (diff) - Next » - Current version
Martin Willi, 18.11.2008 11:21


= Load Tests =

To do stability testing and performance optimizations, charon provides a load-tester plugin. This plugin allows to set up thousands of tunnels concurrently against the daemon itself or a remote host. To build and enable the plugin, add {{{
--enable-load-tests
}}}
to your ''./configure'' flags.

Testing against self

In the simplest case, the the daemon initiates IKE_SAs against self using the loopback interface. This will actually establish the doubled number of IKE_SAs, as the daemon is initiator and responder for each IKE_SA at the same time. Installation of IPsec SAs would fail, as each SA gets installed twice. To simulate the correct behavior, a faked kernel interface can be enabled which does not install the IPsec SAs at the kernel level.

A simple loop-back configuration in ''/etc/strongswan.conf'' might look like this: {{{
charon { # create a new IKE_SA for each CHILD_SA to simulate different clients
reuse_ikesa = no # turn off denial of service protection
dos_protection = no

plugins {
load_tester { # use 4 threads to initiate connections simultaneously
initiators = 4 # each thread initiates 1000 connections
iterations = 1000 # delay each initiation in each thread by 20ms
delay = 20 # fake the kernel interface to avoid SA conflicts
fake_kernel = yes
}
}
}
}}}

This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay value if your box can not handle that much load, or decrease it to put more load on it. If the daemon starts retransmitting messages, your box probably can not handle all connection attempts.

----
'''Due a bug in the 4.2.9 release, load tests against self failed. Apply [4671] if you want to do tests against ''127.0.0.1'' with this release.'''
----

Testing against remote host
The plugin also allows to test against a remote host. This might help to test against a real world configuration. A connection setup to do stress testing of a gateway might look like this: {{{
charon {
reuse_ikesa = no
threads = 32 plugins {
load_tester { # 10000 connections, ten in parallel
initiators = 10
iterations = 1000 # setup all tunnels in 100 seconds
delay = 100 # address of the gateway
remote = 1.2.3.4 # IKE-proposal to use
proposal = aes128-sha1-modp1024 # request a virtual IP using configuration payloads
request_virtual_ip = yes
}
}
}
}}}
Configuration details
The configuration is currently hardcoded to '''' for initiator and responder. You may [browser:trunk/src/charon/plugins/load_tester/load_tester_config.c change] this hardcoded value. Initiator and responder both use hardcoded [browser:trunk/src/charon/plugins/load_tester/load_tester_creds.c 1024-bit RSA keys] and a self signed certificate. You may install this certificate on your target machine. There is currently no way to use different certificates for each initiation, but using such would not affect performance.
There is a list of available configuration options for the load-tester plugin at the [wiki:strongswanConf strongswan.conf] page.