[Swan] Urgent: VPN stress test with strongSwan

Liam Schönberg liam.ch at outlook.com
Sat Nov 14 14:10:13 UTC 2020


We're currently trying to find a way, where we can emulate 20,000 to 60,000 VPN clients against a FortiGate virtual appliance. Originally, our plan was to define a lot of connections on strongSwan, so that every connection initiates itself with different leftids.

Now we're running into a serious issue, where FortiGate refuses to negotiate multiple IKE SAs with a single combination of remote IP adress and UDP port number – When we try to establish multiple IKE SAs with the FortiGate appliance, acting as a responder, from a single box running strongSwan, acting as initiators, the FortiGate side terminates exisiting (old) IKE SA, even if we're using different leftids. It simply assumes that those SAs are «duplicates», since the strongSwan side initiates IKE SAs with the same source IP address and UDP port number.

Since we saw that the FortiGate appliance does not terminate existing IKE SAs if it gets a further negotiation request from different UDP port number, we're now trying to implement Docker containers, so that strongSwan runs inside those containers and each strongSwan instance uses different UDP port number. Though it seems to work when we're doing a few containers, it starts to act strangely when we're running several hundered containers in a single box.

Our question is, whether if any of you has done something similar, and how. Ultimately what we're trying to achieve is to run tausends of instances of strongSwan in a single Linux machine, so that each of those instances can use different socket ports, instead of always udp/500.

Any comments or suggestions will be greately appreciated.

Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201114/a59861c0/attachment.html>

More information about the Swan mailing list