Project

General

Profile

Load Tests » History » Version 9

Version 8 (Tobias Brunner, 05.05.2009 19:10) → Version 9/23 (Martin Willi, 20.10.2009 16:09)

h1. Load Tests

To do stability testing and performance optimizations, charon provides a load-tester plugin. This plugin allows to set up thousands of tunnels concurrently against the daemon itself or a remote host.

h2. Setup

To build and enable the plugin, add
<pre>
--enable-load-tester --enable-load-tests
</pre>
to your _./configure_ options.

----

*Warning: Never enable the load-testing plugin on productive systems. It provides preconfigured credentials and allows an attacker to authenticate as any user.*

----

To make sure you are aware of this risk, an additional _enable_ switch in _strongswan.conf_ is required to load the plugin.

h2. Testing against self

In the simplest case, the the daemon initiates IKE_SAs against self using the loopback interface. This will actually establish the doubled number of IKE_SAs, as the daemon is initiator and responder for each IKE_SA at the same time. Installation of IPsec SAs would fail, as each SA gets installed twice. To simulate the correct behavior, a faked kernel interface can be enabled which does not install the IPsec SAs at the kernel level.

A simple loop-back configuration in [[StrongswanConf|/etc/strongswan.conf]] might look like this:
<pre>
charon {
# create a new IKE_SA for each CHILD_SA to simulate different clients
reuse_ikesa = no
# turn off denial of service protection
dos_protection = no

plugins {
load-tester load_tester {
# enable the plugin
enable = yes
# use 4 threads to initiate connections simultaneously
initiators = 4
# each thread initiates 1000 connections
iterations = 1000
# delay each initiation in each thread by 20ms
delay = 20
# fake the kernel interface to avoid SA conflicts
fake_kernel = yes
}
}
}
</pre>

This will initiate 4000 IKE_SAs within 20 seconds. You may increase the delay value if your box can not handle that much load, or decrease it to put more load on it. If the daemon starts retransmitting messages, your box probably can not handle all connection attempts.

----

*Due a bug in the 4.2.9 release, load tests against self fails. Apply commit:32f59c56 if you want to do tests against _127.0.0.1_ with that release.*

----

h2. Testing against remote host

The plugin also allows to test against a remote host. This might help to test against a real world configuration. A connection setup to do stress testing of a gateway might look like this:
<pre>
charon {
reuse_ikesa = no
threads = 32

plugins {
load-tester load_tester {
# enable the plugin
enable = yes
# 10000 connections, ten in parallel
initiators = 10
iterations = 1000
# use a delay of 100ms, overall time is: iterations * delay = 100s setup all tunnels in 100 seconds
delay = 100
# address of the gateway
remote = 1.2.3.4
# IKE-proposal to use
proposal = aes128-sha1-modp1024
# use faster PSK authentication instead of 1024bit RSA
initiator_auth auth = psk
responder_auth = psk
# request a virtual IP using configuration payloads
request_virtual_ip = yes
# disable IKE_SA rekeying (default)
ike_rekey = 0
# enable CHILD_SA every 60s
child_rekey = 60
# do not delete the IKE_SA after it has been established (default)
delete_after_established = no
# do not shut down the daemon if all IKE_SAs established
shutdown_when_complete = no

}
}
}
</pre>

h2. Configuration details

For public key authentication, the responder The configuration currently uses the a hardcoded _"CN=srv, OU=load-test, O=strongSwan"_ responder identity. The For the initiator, each connection attempt uses a different identity in the form _"CN=c1-r1, _"CN=cli-1, OU=load-test, O=strongSwan"_, where the first number inidicated the client number, the second the authentication round (if multiple authentication is used).

For PSK authentication, FQDN identities are used.
O=strongSwan"_.

The server uses _srv.strongswan.org_, the client uses an identity in the form _c1-r1.strongswan.org_.

For EAP authentication, the client uses a NAI in the form _100000000010001@strongswan.org_.

To configure multiple authentication, concatenate multiple methods using, e.g.
<pre>
initiator_auth = pubkey|psk|eap-md5|eap-aka
</pre>

The
responder uses a hardcoded certificate based on a 1024-bit RSA key (see source:src/charon/plugins/load_tester/load_tester_creds.c). This certificate additionally serves as CA certificate. A peer uses the same private key, but generates client certificates on demand signed by the CA certificate. Install the Responder/CA certificate on the remote host to authenticate all clients.

Alternatively, faster preshared key authentication can be used by setting _auth = psk_.


To speed up testing, the load tester plugin implements a special Diffie-Hellman implementation called _modpnull_. By setting _proposal = aes128-sha1-modpnull_, this wicked fast DH implementation is used. It does not provide any security at all, but allows to run tests without DH calculation overhead.

There is a list of available configuration options for the load-tester plugin at the [[strongswanConf|strongswan.conf]] page.