Project

General

Profile

Load Tests » History » Version 6

Martin Willi, 09.12.2008 10:26

1 1 Martin Willi
= Load Tests =
2 1 Martin Willi
3 6 Martin Willi
To do stability testing and performance optimizations, charon provides a load-tester plugin. This plugin allows to set up thousands of tunnels concurrently against the daemon itself or a remote host.
4 6 Martin Willi
5 6 Martin Willi
== Setup ==
6 6 Martin Willi
7 6 Martin Willi
To build and enable the plugin, add
8 1 Martin Willi
{{{
9 1 Martin Willi
--enable-load-tests
10 1 Martin Willi
}}}
11 1 Martin Willi
to your ''./configure'' flags.
12 6 Martin Willi
----
13 6 Martin Willi
'''Warning: Never enable the load-testing plugin on productive systems. It provides preconfigured credentials and allows an attacker to authenticate as any user.'''
14 6 Martin Willi
----
15 6 Martin Willi
To make sure you are aware of this risk, an additional ''enable'' switch in ''strongswan.conf'' is required to load the plugin.
16 1 Martin Willi
17 1 Martin Willi
== Testing against self ==
18 1 Martin Willi
19 1 Martin Willi
In the simplest case, the the daemon initiates IKE_SAs against self using the loopback interface. This will actually establish the doubled number of IKE_SAs, as the daemon is initiator and responder for each IKE_SA at the same time. Installation of IPsec SAs would fail, as each SA gets installed twice. To simulate the correct behavior, a faked kernel interface can be enabled which does not install the IPsec SAs at the kernel level.
20 1 Martin Willi
21 1 Martin Willi
A simple loop-back configuration in ''/etc/strongswan.conf'' might look like this:
22 1 Martin Willi
{{{
23 1 Martin Willi
charon {
24 1 Martin Willi
    # create a new IKE_SA for each CHILD_SA to simulate different clients
25 1 Martin Willi
    reuse_ikesa = no
26 1 Martin Willi
    # turn off denial of service protection
27 1 Martin Willi
    dos_protection = no
28 1 Martin Willi
29 1 Martin Willi
    plugins {
30 1 Martin Willi
        load_tester {
31 6 Martin Willi
            # enable the plugin
32 6 Martin Willi
            enable = yes
33 1 Martin Willi
            # use 4 threads to initiate connections simultaneously
34 1 Martin Willi
            initiators = 4
35 1 Martin Willi
            # each thread initiates 1000 connections
36 1 Martin Willi
            iterations = 1000
37 1 Martin Willi
            # delay each initiation in each thread by 20ms
38 1 Martin Willi
            delay = 20
39 1 Martin Willi
            # fake the kernel interface to avoid SA conflicts
40 1 Martin Willi
            fake_kernel = yes
41 1 Martin Willi
        }
42 1 Martin Willi
    }
43 1 Martin Willi
}
44 1 Martin Willi
}}}
45 1 Martin Willi
46 2 Martin Willi
This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay value if your box can not handle that much load, or decrease it to put more load on it. If the daemon starts retransmitting messages, your box probably can not handle all connection attempts.
47 3 Martin Willi
----
48 2 Martin Willi
'''Due a bug in the 4.2.9 release, load tests against self fails. Apply [4671] if you want to do tests against ''127.0.0.1'' with this release.'''
49 2 Martin Willi
----
50 1 Martin Willi
== Testing against remote host ==
51 1 Martin Willi
The plugin also allows to test against a remote host. This might help to test against a real world configuration. A connection setup to do stress testing of a gateway might look like this:
52 1 Martin Willi
{{{
53 1 Martin Willi
charon {
54 1 Martin Willi
    reuse_ikesa = no
55 1 Martin Willi
    threads = 32
56 1 Martin Willi
57 1 Martin Willi
    plugins {
58 1 Martin Willi
        load_tester {
59 6 Martin Willi
            # enable the plugin
60 6 Martin Willi
            enable = yes
61 1 Martin Willi
            # 10000 connections, ten in parallel
62 1 Martin Willi
            initiators = 10
63 1 Martin Willi
            iterations = 1000
64 1 Martin Willi
            # setup all tunnels in 100 seconds
65 1 Martin Willi
            delay = 100
66 1 Martin Willi
            # address of the gateway
67 1 Martin Willi
            remote = 1.2.3.4
68 5 Martin Willi
            # IKE-proposal to use
69 5 Martin Willi
            proposal = aes128-sha1-modp1024
70 1 Martin Willi
            # use faster PSK authentication instead of 1024bit RSA
71 1 Martin Willi
            auth = psk
72 1 Martin Willi
            # request a virtual IP using configuration payloads
73 1 Martin Willi
            request_virtual_ip = yes
74 1 Martin Willi
        }
75 1 Martin Willi
    }
76 1 Martin Willi
}
77 1 Martin Willi
}}}
78 1 Martin Willi
== Configuration details ==
79 6 Martin Willi
The configuration currently uses a hardcoded "''CN=srv, OU=load-test, O=strongSwan''" responder identity. For the initiator, each connection attempt uses a different identity in the form "''CN=cli-1, OU=load-test, O=strongSwan''". 
80 1 Martin Willi
81 6 Martin Willi
The responder uses a hardcoded certificate based on a [browser:trunk/src/charon/plugins/load_tester/load_tester_creds.c 1024-bit RSA key]. This certificate additionally serves as CA certificate. A peer uses the same private key, but generates client certificates on demand signed by the CA certificate. Install the Responder/CA certificate on the remote host to authenticate all clients.
82 6 Martin Willi
83 6 Martin Willi
Alternatively, faster preshared key authentication can be used by setting ''auth = psk''.
84 5 Martin Willi
85 5 Martin Willi
To speed up testing, the load tester plugin implements a special Diffie-Hellman implementation called ''modpnull''. By setting ''proposal = aes128-sha1-modpnull'', this wicked fast DH implementation is used. It does not provide any security at all, but allows to run tests without DH calculation overhead.
86 4 Martin Willi
87 1 Martin Willi
There is a list of available configuration options for the load-tester plugin at the [wiki:strongswanConf strongswan.conf] page.