Project

General

Profile

Load Tests » History » Version 4

Martin Willi, 05.12.2008 12:24

1 1 Martin Willi
= Load Tests =
2 1 Martin Willi
3 1 Martin Willi
To do stability testing and performance optimizations, charon provides a load-tester plugin. This plugin allows to set up thousands of tunnels concurrently against the daemon itself or a remote host. To build and enable the plugin, add
4 1 Martin Willi
{{{
5 1 Martin Willi
--enable-load-tests
6 1 Martin Willi
}}}
7 1 Martin Willi
to your ''./configure'' flags.
8 1 Martin Willi
9 1 Martin Willi
== Testing against self ==
10 1 Martin Willi
11 1 Martin Willi
In the simplest case, the the daemon initiates IKE_SAs against self using the loopback interface. This will actually establish the doubled number of IKE_SAs, as the daemon is initiator and responder for each IKE_SA at the same time. Installation of IPsec SAs would fail, as each SA gets installed twice. To simulate the correct behavior, a faked kernel interface can be enabled which does not install the IPsec SAs at the kernel level.
12 1 Martin Willi
13 1 Martin Willi
A simple loop-back configuration in ''/etc/strongswan.conf'' might look like this:
14 1 Martin Willi
{{{
15 1 Martin Willi
charon {
16 1 Martin Willi
    # create a new IKE_SA for each CHILD_SA to simulate different clients
17 1 Martin Willi
    reuse_ikesa = no
18 1 Martin Willi
    # turn off denial of service protection
19 1 Martin Willi
    dos_protection = no
20 1 Martin Willi
21 1 Martin Willi
    plugins {
22 1 Martin Willi
        load_tester {
23 1 Martin Willi
            # use 4 threads to initiate connections simultaneously
24 1 Martin Willi
            initiators = 4
25 1 Martin Willi
            # each thread initiates 1000 connections
26 1 Martin Willi
            iterations = 1000
27 1 Martin Willi
            # delay each initiation in each thread by 20ms
28 1 Martin Willi
            delay = 20
29 1 Martin Willi
            # fake the kernel interface to avoid SA conflicts
30 1 Martin Willi
            fake_kernel = yes
31 1 Martin Willi
        }
32 1 Martin Willi
    }
33 1 Martin Willi
}
34 1 Martin Willi
}}}
35 1 Martin Willi
36 1 Martin Willi
This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay value if your box can not handle that much load, or decrease it to put more load on it. If the daemon starts retransmitting messages, your box probably can not handle all connection attempts.
37 1 Martin Willi
38 2 Martin Willi
----
39 3 Martin Willi
'''Due a bug in the 4.2.9 release, load tests against self fails. Apply [4671] if you want to do tests against ''127.0.0.1'' with this release.'''
40 2 Martin Willi
----
41 2 Martin Willi
42 1 Martin Willi
== Testing against remote host ==
43 1 Martin Willi
The plugin also allows to test against a remote host. This might help to test against a real world configuration. A connection setup to do stress testing of a gateway might look like this:
44 1 Martin Willi
{{{
45 1 Martin Willi
charon {
46 1 Martin Willi
    reuse_ikesa = no
47 1 Martin Willi
    threads = 32
48 1 Martin Willi
49 1 Martin Willi
    plugins {
50 1 Martin Willi
        load_tester {
51 1 Martin Willi
            # 10000 connections, ten in parallel
52 1 Martin Willi
            initiators = 10
53 1 Martin Willi
            iterations = 1000
54 1 Martin Willi
            # setup all tunnels in 100 seconds
55 1 Martin Willi
            delay = 100
56 1 Martin Willi
            # address of the gateway
57 1 Martin Willi
            remote = 1.2.3.4
58 1 Martin Willi
            # IKE-proposal to use
59 1 Martin Willi
            proposal = aes128-sha1-modp1024
60 1 Martin Willi
            # request a virtual IP using configuration payloads
61 1 Martin Willi
            request_virtual_ip = yes
62 1 Martin Willi
        }
63 1 Martin Willi
    }
64 1 Martin Willi
}
65 1 Martin Willi
}}}
66 1 Martin Willi
== Configuration details ==
67 3 Martin Willi
The configuration is currently hardcoded to ''load-test@strongswan.org'' for initiator and responder identities. You may [browser:trunk/src/charon/plugins/load_tester/load_tester_config.c change] this hardcoded value. Initiator and responder both use hardcoded [browser:trunk/src/charon/plugins/load_tester/load_tester_creds.c 1024-bit RSA keys] and a self signed certificate. You may install this certificate on your target machine. There is currently no way to use different certificates for each initiation, but using such would not really affect performance.
68 4 Martin Willi
69 4 Martin Willi
To speed up testing, the load tester plugin implements a special Diffie-Hellman implementation called ''modpnull''. By setting the proposal to ''aes128-sha1-modpnull'', this wicked fast DH implementation is used. It does not provide any security at all, but allows to run tests without DH calculation overhead..
70 4 Martin Willi
71 1 Martin Willi
There is a list of available configuration options for the load-tester plugin at the [wiki:strongswanConf strongswan.conf] page.