Project

General

Profile

Load Tests » History » Version 7

Martin Willi, 09.12.2008 10:26

1 1 Martin Willi
2 7 Martin Willi
h1. Load Tests
3 7 Martin Willi
4 7 Martin Willi
5 6 Martin Willi
To do stability testing and performance optimizations, charon provides a load-tester plugin. This plugin allows to set up thousands of tunnels concurrently against the daemon itself or a remote host.
6 1 Martin Willi
7 1 Martin Willi
8 7 Martin Willi
h2. Setup
9 7 Martin Willi
10 7 Martin Willi
11 1 Martin Willi
To build and enable the plugin, add
12 7 Martin Willi
<pre>
13 6 Martin Willi
--enable-load-tests
14 7 Martin Willi
</pre>
15 7 Martin Willi
to your _./configure_ flags.
16 1 Martin Willi
----
17 7 Martin Willi
*Warning: Never enable the load-testing plugin on productive systems. It provides preconfigured credentials and allows an attacker to authenticate as any user.*
18 1 Martin Willi
----
19 7 Martin Willi
To make sure you are aware of this risk, an additional _enable_ switch in _strongswan.conf_ is required to load the plugin.
20 6 Martin Willi
21 1 Martin Willi
22 7 Martin Willi
h2. Testing against self
23 7 Martin Willi
24 7 Martin Willi
25 1 Martin Willi
In the simplest case, the the daemon initiates IKE_SAs against self using the loopback interface. This will actually establish the doubled number of IKE_SAs, as the daemon is initiator and responder for each IKE_SA at the same time. Installation of IPsec SAs would fail, as each SA gets installed twice. To simulate the correct behavior, a faked kernel interface can be enabled which does not install the IPsec SAs at the kernel level.
26 1 Martin Willi
27 7 Martin Willi
A simple loop-back configuration in _/etc/strongswan.conf_ might look like this:
28 7 Martin Willi
<pre>
29 1 Martin Willi
charon {
30 1 Martin Willi
    # create a new IKE_SA for each CHILD_SA to simulate different clients
31 1 Martin Willi
    reuse_ikesa = no
32 1 Martin Willi
    # turn off denial of service protection
33 1 Martin Willi
    dos_protection = no
34 1 Martin Willi
35 6 Martin Willi
    plugins {
36 6 Martin Willi
        load_tester {
37 1 Martin Willi
            # enable the plugin
38 1 Martin Willi
            enable = yes
39 1 Martin Willi
            # use 4 threads to initiate connections simultaneously
40 1 Martin Willi
            initiators = 4
41 1 Martin Willi
            # each thread initiates 1000 connections
42 1 Martin Willi
            iterations = 1000
43 1 Martin Willi
            # delay each initiation in each thread by 20ms
44 1 Martin Willi
            delay = 20
45 1 Martin Willi
            # fake the kernel interface to avoid SA conflicts
46 1 Martin Willi
            fake_kernel = yes
47 1 Martin Willi
        }
48 1 Martin Willi
    }
49 1 Martin Willi
}
50 7 Martin Willi
</pre>
51 1 Martin Willi
52 1 Martin Willi
This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay value if your box can not handle that much load, or decrease it to put more load on it. If the daemon starts retransmitting messages, your box probably can not handle all connection attempts.
53 2 Martin Willi
----
54 7 Martin Willi
*Due a bug in the 4.2.9 release, load tests against self fails. Apply r4671 if you want to do tests against _127.0.0.1_ with this release.*
55 2 Martin Willi
----
56 7 Martin Willi
57 7 Martin Willi
h2. Testing against remote host
58 7 Martin Willi
59 1 Martin Willi
The plugin also allows to test against a remote host. This might help to test against a real world configuration. A connection setup to do stress testing of a gateway might look like this:
60 7 Martin Willi
<pre>
61 1 Martin Willi
charon {
62 1 Martin Willi
    reuse_ikesa = no
63 6 Martin Willi
    threads = 32
64 6 Martin Willi
65 1 Martin Willi
    plugins {
66 1 Martin Willi
        load_tester {
67 1 Martin Willi
            # enable the plugin
68 1 Martin Willi
            enable = yes
69 1 Martin Willi
            # 10000 connections, ten in parallel
70 1 Martin Willi
            initiators = 10
71 1 Martin Willi
            iterations = 1000
72 1 Martin Willi
            # setup all tunnels in 100 seconds
73 1 Martin Willi
            delay = 100
74 5 Martin Willi
            # address of the gateway
75 1 Martin Willi
            remote = 1.2.3.4
76 1 Martin Willi
            # IKE-proposal to use
77 1 Martin Willi
            proposal = aes128-sha1-modp1024
78 5 Martin Willi
            # use faster PSK authentication instead of 1024bit RSA
79 1 Martin Willi
            auth = psk
80 1 Martin Willi
            # request a virtual IP using configuration payloads
81 1 Martin Willi
            request_virtual_ip = yes
82 1 Martin Willi
        }
83 1 Martin Willi
    }
84 1 Martin Willi
}
85 7 Martin Willi
</pre>
86 1 Martin Willi
87 7 Martin Willi
h2. Configuration details
88 7 Martin Willi
89 7 Martin Willi
The configuration currently uses a hardcoded "_CN=srv, OU=load-test, O=strongSwan_" responder identity. For the initiator, each connection attempt uses a different identity in the form "_CN=cli-1, OU=load-test, O=strongSwan_". 
90 7 Martin Willi
91 6 Martin Willi
The responder uses a hardcoded certificate based on a [browser:trunk/src/charon/plugins/load_tester/load_tester_creds.c 1024-bit RSA key]. This certificate additionally serves as CA certificate. A peer uses the same private key, but generates client certificates on demand signed by the CA certificate. Install the Responder/CA certificate on the remote host to authenticate all clients.
92 6 Martin Willi
93 7 Martin Willi
Alternatively, faster preshared key authentication can be used by setting _auth = psk_.
94 5 Martin Willi
95 7 Martin Willi
To speed up testing, the load tester plugin implements a special Diffie-Hellman implementation called _modpnull_. By setting _proposal = aes128-sha1-modpnull_, this wicked fast DH implementation is used. It does not provide any security at all, but allows to run tests without DH calculation overhead.
96 1 Martin Willi
97 7 Martin Willi
There is a list of available configuration options for the load-tester plugin at the [[strongswanConf|strongswanconf]] page.