Documentation

• 1: Quick start
• 2: Example Setup
• 3: Default Setup File with Comments
• 4: CLI Usage
• 5: MyIKEv2 Interactive Shell
• 6: IPsec Mode & Tunnel Type
• 7: Data Path
• 8: Crypto Algorithms
• 9: EAP Authentication
• 10: MOBIKE (RFC4555)
• 11: Built-in Ping test
• 12: Tunnel Flapping Test
• 13: MyIKEv2 Daemon & Controller
• 14: MyIKEv2 API
• 15: MyIKEv2 License
• 16: Change Logs

1 - Quick start

Host Compute Resource Considerations For Scale Tests

Scale test means running large number of tunnels concurrently, it has higher compute resource requirement:

• CPU: IKEv2/IPsec is CPU intensive, multi-core is required; server class CPU like Intel Xeon is recommended
• Memory: this depends on number of SAs and SA’s lifetime; as reference, 100k tunnel with single CHILD_SA each tunnel, requires 48G memory as client role, 20G memory as gateway role;
• Storage: running MyIKEv2 typically doesn’t require significant storage; however if this could change if you have large number of tunnels AND having detail logging
• Network: make sure there is enough network I/O bandwidth between MyIKEv2 and peer for IKEv2 and data traffic; specially in case running MyIKEv2 in a VM, high performance I/O option like SR-IOV or PCI-Passthrough to NIC is recommended.

Installation

MyIKEv2 provides a single executable binary for Linux:

1. download from https://www.myikev2.net
2. gzip -d myikev2.gz
3. chmod +x myikev2
4. move it to directory of your choice;
5. run it as root

MyIKEv2 requires root privilege to run.

Linux OS Setup

• MyIKEv2 requires iproute2 to run

• for scale test, you need to change following linux kernel settings:

  • increase number of open file: ulimit -n <xxx>; xxx must be bigger than number of tunnels and sockets opened by MyIKEv2 (note: built-in ping opens additional sockets).
  • increase UDP buffer size:

  sysctl -w net.core.rmem_max=26214400
  sysctl -w net.core.rmem_default=26214400
  sysctl -w net.core.wmem_max=26214400
  sysctl -w net.core.wmem_default=26214400
  

  • increase ARP entries limits (run out ARP entries could cause error msg like sendto: invalid argument)

  sysctl -w net.ipv4.neigh.default.gc_thresh1 = 10240
  sysctl -w net.ipv4.neigh.default.gc_thresh2 = 20480
  sysctl -w net.ipv4.neigh.default.gc_thresh3 = 40960
  sysctl -w net.ipv6.neigh.default.gc_thresh1 = 10240
  sysctl -w net.ipv6.neigh.default.gc_thresh2 = 20480
  sysctl -w net.ipv6.neigh.default.gc_thresh3 = 40960    
  

  • increase NIC TX/RX queue size:

  ethtool -G <interface-name> tx <max-value> 
  ethtool -G <interface-name> rx <max-value>
  
  note: <max-value> could be obtained via command `ethtool -g <inteface-name>`
  

  • in case of radius is used during authentication, especially EAP authentication with multiple round-trips, make sure radius server has enough computing resource and I/O resource, e.g. above I/O tweaking also need to apply to radius server.

    • in case eap-file, make sure the interface where the radius server listening address is on has enough I/O.

  • use biggest MTU available for network link between MyIKEv2 and peer (unless you want to test fragmentation)

• since v1.2, MyIKEv2 require libpcap to run; if libpcap is already installed, but you still get error msg like " error while loading shared libraries: libpcap.so.x.y: cannot open shared object file: No such file or directory", then just create a symbol link “libpcap.so.x.y” to installed libpcap.so file

• since v1.3, eap-snoop requires eapol_test executive

Test Setup

For each test case:

1. create a MyIKEv2 setup file, which contains the all configurations needed to run MyIKEv2; myikev2 default -f <setupfilename> generate a setup file with default value, which could be used as starting point;
2. use command myikev2 exec -f <setup_file_name> to run the test; for details of CLI commands, refer to CLI Usage
   • adding -i parameter like myikev2 exec -i -f <setup_file_name> will launch the interactive shell, where MyIKEv2 shell command could used to monitor the running test.

Note: before running IKEv2 and create IPsec tunnel, if -flush=false is not specified, MyIKEv2 does following to facilitate test based on the settings in setup file:

• flush and add following address on specified interface bindifname:
  • specified tunnel address (based on startclntaddr , numberoftunnels, mobike and mobikeaddrpertunnel)
  • bindifaddr
• flush address on interface lo, then add 127.0.0.1/32 and ::1/128
• flush the ip xfrm state/policy
• flush route table 330
• create a static route in main route table if “staticroute” is specified in the setup file

note: MyIKEv2 will also add following two ip xfrm polices before executing a test setup:

• ip xfrm policy update proto udp sport 500 dport 500 dir out priority 1
• ip xfrm policy update proto udp sport 500 dport 500 dir in priority 1

but if other tasks needed for the tests, user could write a shell script to do any setup/clean task.

Create Setup File

• setup is a text file in YAML format
• read setup file for documentation of all settings in setup file
• setting with default value could be omitted in setup file

Example Setup File

see Example Setup

Multiple Test Instance

Beside the running single instance as described above, MyIKEv2 also supports test setup uses multiple instances, running on a single or multiple servers, see controller doc for details

2 - Example Setup

Example setup

client (epn0s10) —— (enp0s10) gateway

• interface: enp0s10
• Tunnel address:
  • Gateway: 11.1.0.1/8
  • Client: start from 11.1.0.2/8
• Virtual address pool on GW side (assign to client via Config Payload):
  • prefix: 192.168.100.1/24
  • DNS Server address list: 8.8.8.8, 4.4.4.4
• Certificate/key directory (following locations are the directory):
  • client:
    • CA cert: /usr/local/etc/certdb_ecdsa/client/ca
    • End-Entity cert/key: /usr/local/etc/certdb_ecdsa/client/ee
  • gateway:
    • CA cert: /usr/local/etc/certdb_ecdsa/gw/ca
    • End-Entity cert/key: /usr/local/etc/certdb_ecdsa/gw/ee
  • All certificate and key files must be in clear PEM format
  • End-Entity cert/key file name must follow following rules:
    • cert file name must end with “.cert”
    • key file name must end with “.key”
    • the prefix of corresponding cert and key file name must be same, for example “ee-1_myikev2.cert” and “ee-1_myikev2.key”
  • MyIKEv2 could generate cert/key in batch via command “myikev2 createpki”

Remote-Access Tunnel with Pre-shared Key

• Client:

numberoftunnels: 10
startclntaddr: "11.1.0.2/8"
peeraddr: "11.1.0.1"
bindifname: "enp0s10"
ikeconf:
  psk: "pre-shared-key"
  installfastpath: true
  ratunnel: true
  childlist:
  -
    peerts:
    -
      startaddr: 9.9.9.9
      endaddr: 9.9.9.9

• Gateway:

role: gateway
bindifname: "enp0s10"
bindifaddr: "11.1.0.1/8"
poolconf:
  v4startaddr: "192.168.100.1/24"
  v4dnslist: [8.8.8.8,4.4.4.4]
  v6startaddr: ""
  v6dnslist: []
ikeconf:
  psk: "pre-shared-key"
  ikelifetime: 20m
  installfastpath: true
  ratunnel: true
  childlist:
  -
    lifetime: 60m

Remote-Access Tunnel with Certificate Authentication

• Client:

numberoftunnels: 10
startclntaddr: "11.1.0.2/8"
peeraddr: "11.1.0.1"
bindifname: "enp0s10"
ikeconf:
  authpeermethod: digital-signature
  authownmethod: digital-signature
  cadir: "/usr/local/etc/certdb_ecdsa/client/ca"
  eedir: "/usr/local/etc/certdb_ecdsa/client/ee"
  installfastpath: true
  ratunnel: true
  childlist:
  -
    peerts:
    -
      startaddr: 9.9.9.9
      endaddr: 9.9.9.9

• Gateway:

role: gateway
bindifname: "enp0s10"
bindifaddr: "11.1.0.1/8"
poolconf:
  v4startaddr: "192.168.100.1/24"
  v4dnslist: [8.8.8.8,4.4.4.4]
  v6startaddr: ""
  v6dnslist: []
ikeconf:
  authpeermethod: digital-signature
  authownmethod: digital-signature
  cadir: "/usr/local/etc/certdb_ecdsa/gw/ca"
  eedir: "/usr/local/etc/certdb_ecdsa/gw/ee"
  installfastpath: true
  ikelifetime: 20m
  ratunnel: true
  childlist:
  -
    lifetime: 10m

Remote-Access Tunnel with EAP-MD5 Authentication

• client:
  • client use eap-snoop, which uses eapol_test, see EAP document for details
  • “&d” in eapoltestconf will be replace by an incrementing counter value
  • myid is set to “eapol-test-conf”, which uses the identity in eapoltestconf

numberoftunnels: 10
startclntaddr: "11.1.0.2/8"
peeraddr: "11.1.0.1"
bindifname: "enp0s10"
ikeconf:
  psk: "pre-shared-key"
  authpeermethod: psk
  authownmethod: eap
  eapimplementaion: eap-snoop
  eapoltestconf: |
    network={
        key_mgmt=NONE
        eap=MD5
        identity="bob&d"
        password="bob"
    }
  eapoltestpath: /root/eapol_test
  myid: "eapol-test-conf"
  installfastpath: true
  ratunnel: true
  childlist:
  -
    peerts:
    -
      startaddr: 9.9.9.9
      endaddr: 9.9.9.9

• gateway:

  • gateway proxy EAP exchange to external RADIUS server
  • gateway uses EAP to authentication client; while client uses psk to authenticate gateway

role: gateway
bindifname: "enp0s10"
bindifaddr: "11.1.0.1/8"
poolconf:
  v4startaddr: "192.168.100.1/24"
  v4dnslist: [8.8.8.8,4.4.4.4]
  v6startaddr: ""
  v6dnslist: []
ikeconf:
  psk: "pre-shared-key"
  ikelifetime: 20m
  authpeermethod: eap
  authownmethod: psk
  eapradiusss: "testing123"
  eapradiussvr: "127.0.0.1:1812"
  installfastpath: true
  ratunnel: true
  childlist:
  -
    liftime: 10m

3 - Default Setup File with Comments

MyIKEv2 uses a YAML file as the setup file for all its configurations; A default setup file could be generated via command “myikev2 default”;

Following is the default setup file with comments describe each option:

# This is a test setup file with default value for MyIKEv2, it is in YAML;
# see comment on top of each option for description
# note: some parameters are only applied to a specific role, as specified in comments; 
#       without it, it means the parameter apply to both roles

# role of the MyIKEv2
# client: tunnel initiator
# gateway: tunnel responder
role: client

# The description of the test setup, displayed at the beggging of test
desc: ""

# the duration of the test will run for
# the format is like 2h (2 hours),3m (3 minutes),5s (5 seconds)
# zero means test will run forever (10 years)
runningtime: 0s

# client role: the number of tunnels MyIKEv2 will try to create 
# gateway role: the number of tunnel expect peer to create
numberoftunnels: 10

# log level: file log level; 
# note: this is separate from STDOUT log with interactive CLI 
# 1 means only critical msg, 
# 2 means error plus previous level, 
# 3 means warning plus previous level, 
# 4 means information msg plus previous level, 
# 5 means debug (include decoded pkt output) plus previous level
loglevel: 2

# the keyword used to filter out log message
# only messages contains logkeyword will be logged in the log file
# empty means no filter
logkeyword: ""

# the cap size of the log file, in MB, once size exceeds the cap
# current log file will be renamed with a suffix ".prev"
# so it means myikev2 will have maximum two log files, 
# each size at logfilesizecap
# this also applies if loginmem is true
# 0 means no cap
logfilesizecap: 1000

# if true, keep log message in memory,
# only write into file upon finish
# set this true while doing scale test could save some resource on logging
loginmem: false

# if ture, myikev2 will abort at 1st error;
abortonerr: false

# client role only
# starting tunnel address used by MyIKEv2
# each following tunnel will be assigned with +1 of previous tunnel address
# this could be either IPv4 or IPv6 address with prefix length. e.g. x.x.x.x/y
# for example if numberoftunnels is 3 and startclntaddr is 1.1.1.1/24,
# then 1st tunnel gets 1.1.1.1/24, 2nd gets 1.1.1.2/24, 3rd get 1.1.1.3/24
# madantory, can't be empty
startclntaddr: ""

# Enable MOBIKE(RFC4555)
mobike: false


# client role only
# the number of own tunnel address per tunnel
mobikeaddrpertunnel: 2

# gateway role only
# the number of own tunnel address for the gateway
mobikeaddrpergw: 2

# client role only
# the amount of time MyIKEv2 wait before change to next address
mobikeiplifetime: 5m0s

# client role only
# how MyIKEv2 change the address using MOBIKE
# own-only: only change own tunnel address
# peer-only: only change peer's tunnel address
# both: change both own and peer's tunnel address
mobikechangeaddrtype: own-only

# client role only
# gateway will accept incoming requests regardless its address
# IKEv2 peer's tunnel address, all tunnels created will use this peer address
# madantory, can't be empty
peeraddr: ""

# the name of Linux interface to which MyIKEv2's own tunnel addresses bind
# note: you should use a dedicate interface,
# since this interface could get flushed during initiatlization
# madantory, can't be empty
bindifname: ""

# for gateway role: this is the local tunnel address
# for client role:
# an addtional address to add on the binding interface,
# which is beside MyIKEv2's own tunnel addresses;
# this could be used to faciliate certain routing setup
# this could be either IPv4 or IPv6 address with prefix length.
# e.g. x.x.x.x/y
bindifaddr: ""

# addtioanl static route to be created to faciliate certain routing requirements;
# it should be a "ip route replace ..." command
# use "ip route replace" instead of "ip route add" to avoid failure of repeated running same command
staticroute: ""

# client role only
# the time MyIKEv2 wait before creating next tunnel
setupinterval: 100ms

# client role only
# the interval between tunnel creation retry
tunnelretryinterval: 10s

# client role only
# the max tries for a specific tunnel creation
tunnelmaxretry: 3

# client role only
# for each tunnel,
# the step MyIKEv2 will increate for address in ownts of childlist section 
# for example, with owntsaddrincrease:3,
# if startaddr and endaddr in ownts config are both 192.168.1.1, 
# then 1st tunnel will use 192.168.1.1-192.168.1.1 as its own TS address range, 
# 2nd tunnel will use 192.168.1.4-192.168.1.4 as its own TS address range ...
owntsaddrincrease: 0

# client role only
# for each tunnel,
# the step MyIKEv2 will increate for address in peerts of childlist section
# see comments of owntsaddrincrease for details
peertsaddrincrease: 1

# listening address for API server
apilistenaddr: 0.0.0.0

# listening port for API server
apilistenport: 12330


# flapconf are the config for tunnel flapping, client only
flapconf:
  # enable/disable tunnel flapping
  flapping: false
  # number of tunnel flapping, must <= numberoftunnels
  # -1 means same as numberoftunnels
  numoftunnel: -1
  # the interval between two dials is a random number
  # between minflapinterval and maxflapinterval
  # minflapinterval must >= 10s
  minflapinterval: 30s
  maxflapinterval: 1m0s

# poolconf is for gateway role only
# this is the address pool from which gateway assign address to peer via IKEv2 config payload
# leave it empty means no address allocation
poolconf:
  # starting prefix of IPv4 address pool, in format of a.b.c.d/prefix_len
  v4startaddr: ""
  # a list of IPv4 DNS sever address
  v4dnslist: []
  # starting prefix of IPv6 address pool, in format Iof v6_addr/prefix_len
  v6startaddr: ""
  # a list of IPv6 DNS server address
  v6dnslist: []

ikeconf:

# gateway role only
# the number of half open IKE_SA that trigger IKEv2 cookie exchange
# a negative value disable the cookie exchange
  numoftunneltoenablecookie: -1

# Enable repeated auth (RFC4478)
  reauth: false

# gateway role only
# the amount of time peer need to do reauth
  reauthlifetime: 10s

# IKE request retry interval
  retraninterval: 10s

# the max tranmission of a IKE request
  maxretran: 4

# a list of DH groups during IKE_SA_INIT exchange
# see crypto.md for all supported crypto algorithms
  dhgrpid: 
  - 14 

# enable IKEv2 fragmentation 
  enablefragment: false

# MTU for IKEv2 fragmentation
# note: the MTU here is max size of clear IKEv2 payloads, 
# so the result IKEv2 packet after fragmentation will be bigger than this value with IKEv2 encap/encryption/IP encap overheads
  mtu: 1100

# IKEv2 message reassembly timeout 
  reassembletimeout: 30s  

# client role only
# include INITIAL_CONTACT in first IKE_AUTH request
  initialcontact: true

# a list of IKE integrity Algs
# see crypto.md for all supported crypto algorithms
  ikeintegrityalg: 
  - sha256

# a list of IKE encryption Alg
# see crypto.md for all supported crypto algorithms
  ikeencyptalg:
  - aes-cbc:128

# a list of IKE PRF Alg
# see crypto.md for all supported crypto algorithms
  ikeprfalg: 
  - sha256

# IKEv2 authentication method to autenticate peer
# support following methods:
# psk: Shared Key Message Integrity Code
# rsa: RSA Digital Signature
# ecdsa-sha256-p256, ecdsa-sha384-p384, ecdsa-sha512-p521: ECDSA auth as defined in RFC4754
# digital-signature: digital signature as defined in RFC7427
# "eap" or "eap-only": EAP authentication
  authpeermethod: psk

# IKEv2 authentication method to autenticate self 
# (a.k.a generating own AUTH payload)
# options are same as authpeermethod, 

  authownmethod: psk

# client role only
# EAP authentication implementation
# eap-snoop or eap-file
  eapimplementaion: eap-snoop

# client role only
# the config for eapol_test, used by eap-snoop
# could be multi-line YAML string
# "&d" in eapoltestconf will be replaced by tunnel index 
  eapoltestconf: ""

# client role only
# path to eapol_test binary, used by eap-snoop
  eapoltestpath: /root/gowork/src/myikev2/eapol_test

# client role only
# pcap file used for EAP RADIUS Authentication
# used by eap-file
  eapfile: ""

# gateway role:
# this is the shared secret for radius server 
# client role:
# radius share secret for the pcap file
# used by eap-file  
  eapradiusss: ""

# gateway role:
# this is the address for radius server 
# client role:
# listening address for local radius server
# used by eap-file
# for example, could be sth like "1.1.1.1:1812"
  eapradiussvr: ""

# in case of client role:
# the radius attr type DUT uses to identify a EAP RADIUS auth session
# used by eap-file
# for example, could be 31 (which is Calling-Station-Id)
# in case of gateway role, gateway will insert the specified attribute with value as corresponding's IKESA's own SPI, into access-request
  eapradiusid: 31

# gateway role only
# if true, the gateway sends EAP-Start to radius server at the beginning of EAP exchanges,
# otherwise, sends EAP-ID/Response with User-Name to radius server first
  eapsendstart: true

# local IKEv2 ID payload, supports following:
# client-src-addr: using own tunnel address, type ID_IPV4_ADDR or ID_IPV6_ADDR
# eapol-test-conf: using identity of eapol_test config
# eapusepcap: use the user-name in 1st access-request pkt in eapfile 
# cert-dn: use assigned certificate Subject, type ID_DER_ASN1_DN
# an IPv4 or IPv6 address, type ID_IPV4_ADDR or ID_IPV6_ADDR
# a RFC822 address (e.g. email addr), type ID_RFC822_ADDR
# a FQDN, type ID_FQDN 
# the default type is ID_FQDN
  myid: client-src-addr


# client tunnel only
# This is to configure IDr in IKE_AUTH request message
# supports following:
# peer-addr: using configured peer address
# an IPv4 or IPv6 address, type ID_IPV4_ADDR or ID_IPV6_ADDR
# a RFC822 address (e.g. email addr), type ID_RFC822_ADDR
# a FQDN, type ID_FQDN 
# the default type is ID_FQDN
# if not spcified, then there is no IDr in IKE_AUTH request message
  peerid: ""

# client tunnel only
# if set true, match recevied IDr in IKE_AUTH response with configured peerid
# fail the tunnel setup if they don't match
  matchpeerid: false

# The path to where CA certificates are stored;
# the certificate must be in PEM format
# madantory if PKI related authentication is used
  cadir: ""

# The path to where End Entitity certificates and keys are stored;
# both certficate and key file must in clear PEM format;
# the file name of certificates/keys must be same as files that generated 
# End-Entity cert/key file name must follow following rules:
#  * cert file name must end with ".cert"
#  * key file name must end with ".key"
#  * the prefix of corresponding cert and key file name must be same, for example "ee-1_myikev2.cert" and "ee-1_myikev2.key"
# madantory if PKI related authentication is used
  eedir: ""

# Hash alg for digital signature (RFC7427) authentication
# this will be included in generated SIGNATURE_HASH_ALGORITHMS notification
  dshashalg: sha256

# enable using RSA PSS signature, default is PKCS1.5 signature
  usersapss: false

# Pre-Shared key for psk authentication
  psk: ""

# if true:
#     CERTREQ payload only include CAs whose filename's suffix contains "reqp"
#     In addtion to signing EE cert, CERT payload from CAs whose filename's suffix contains "certp"
# if false:
#     CERTREQ payload only include root CAs
#     only CERT payload from signing EE cert will be sent 
  sendingmarkedca: false

# if initiate DPD  
  initiatedpd: true

# force using DPD even peer's IKEv2 msg is received
  forcedpd: false

# DPD interval  
  dpdinterval: 30s

# IKE SA lifetime
  ikelifetime: 10m0s

# amount of time when MyIKEv2 initiate IKE_SA rekey before it expires; 
# for example if ikelifetime is 10 minutes, margintime is 2 minutes, 
# then IKE_SA rekey will be initiated at 8 minutes 
  margintime: 1m0s

#
# when set to true, MyIKEv2 will derive in-use margintime from range (0,margintime)
# 

  jitter: true

# install CHILD_SA to fastpath if true, e.g. linux kernel;
# in case IKEv2 only tests, you could choose to set this to false,
# so that consumple less resource
  installfastpath: false

# the name of interface which assigned virtual address will be attached to,
# client role only
  virtualipif: lo

# MyIKEv2 will keep rekeyed CHILD SA if true; 
# note: set this to true in scale test could consume more memory
  keepchildhistory: false

# MyIKEv2 will keep rekeyed IKE SA if true; 
# note: set this to true in scale test could consume more memory
  keepikehistory: false

# client role only
# setting true to use configuration payload to request following atttributes:
# INTERNAL_IP4_ADDRESS / INTERNAL_IP4_DNS
# INTERNAL_IP6_DNS / INTERNAL_IP6_ADDRESS
  ratunnel: false

# setting true to enable NAT-Travelsal 
  enablenatt: false

# set to true to include NO_NATS_ALLOWED notification in IKE_AUTH request and UPDATE_SA_ADDRESSES request.
disallownat: false

# the interval of sending NAT-T keepalive, setting to zero disable it 
  nattkeepaliveinterval: 0s

# if ture, enable ESP or UDP encap
  traditionalencap: true

# if true, force to use UDP encap
  tradtionalencapforceudp: false

# if ture, enable TCP encap
  tcpencap: false

# own port for TCP encap
  owntcpport: 4500

# peer port for TCP encap
  peertcpport: 4500


# a list of CHILD SA config, could be one or mulitple set of following config
  childlist:

# setting tunnelmode as false to create transport mode CHILD_SA
  - tunnelmode: true

# a list of CHILD SA integrity Algs
# see crypto.md for all supported crypto algorithms
    integrityalg: 
    - sha256

# a list of CHILD SA encryption Algs
# see crypto.md for all supported crypto algorithms
    encalg: 
    - aes-cbc:128

# CHILD SA protocol
# see crypto.md for all supported crypto algorithms
    protocol: esp

# CHILD SA lifetime
# note: CHILD_SA rekey will also use margintime as IKE SA
    lifetime: 5m0s

# whether to use ESN
    esn: false

# whether to use PFS (Perfect Forward Secrecy)
    pfsenabled: false

# a list of DH groups for PFS
    pfsgrpid: 
    - 14

# the size of anti-replay window
    replaywindowsize: 256

# if true, use configured TS for CHILD_SA rekey, otherwise uses TS of previous CHILD_SA
    useprovisionedtsforrekey: false

# Own Traffic Selector (TS) config
    ownts:

    # IP version, v4 or v6
    - type: v4

    # TS protocol, 0 means any
      protocol: 0

    # start port of the port range      
      startport: 0
      
    # end port of the port range  
      endport: 65535
    
    # start address of the address range
      startaddr: 0.0.0.0
    
    # end address of the address range
      endaddr: 255.255.255.255

# Peer Traffic Selector (TS) config   
    peerts:
    - type: v4
      protocol: 0
      startport: 0
      endport: 65535
      startaddr: 0.0.0.0
      endaddr: 255.255.255.255
# Built-in Ping test
pingconf:

# if true, the first address of negotiated TSi/TSr will be used as
# src/dst address of ICMP packet
  autoaddr: false

# type of ping, choice of icmp or udp
# in case of udp, myikev2 echosvr need to be used as the target
  ptype: icmp

# the UDP port used by UDP ping (as both src and dst)
  udpport: 9922

# if true, myikev2 will auto add ping's src address to the interface specified by virtualipif, 
# can't be enabled for client remote-access tunnel
  assignsrc: false

# ping dest of 1st tunnel; empty means disable whole ping test
  destaddr: ""

# step increase for ping dest addr of following tunnels
  deststep: 1

# ping src of 1st tunnel; empty means let OS select src 
  srcaddr: ""

# step increase for ping src addr of following tunnels
  srcstep: 1

# interval between each ping ECHO request 
  interval: 1s

# interval between creating two consecutive ping tasks
  setupinterval: 10ms

# size of ping; the actual IP packet size is bigger than this
  pktlen: 64

# the percentage of max packet loss rate for a given task; 
# generate error event if rate exceeds this value
  maxlossrate: 10

# the amount of time system waits before start ping, after:
# client role: all tunnel are created
# gateway role: gateway is created 
  holdtime: 10s

4 - CLI Usage

MyIKEv2 is command line based IKEv2/IPsec testing tool, it has following CLI commands:

MyIKEv2, an IKEv2/IPsec testing tool; Ver 4.7
https://www.myikev2.net
=======================
  = exec: execute a myikev2 test setup file
    - crlf: crash log file path
    - f: test setup file name
    - flush: flush interface and xfrm states at the begining
        default:true
    - i: enable interactive CLI
        default:false
    - j: result formated as json
        default:false
    - l: license file path
        default:/etc/myikev2.lic
    - lf: log file path
        default:myikev2.log
    - p: enable profiling, dev use only
        default:false
  = createpki: creates x.509v3 CA/EE certficates/keys
    - c: number of EE cert/key pairs
        default:1
    - cadir: CA certs folder
    - cakeytype: the CA key type/curve and key length, like rsa:2048, ecdsa:p-384 or ed25519
        default:rsa:4096
    - caprefix: prefix to CA cert's subject's CN
    - eedir: EE certs folder
    - eekeytype: the EE key type/curve and key length, like rsa:2048, ecdsa:p-384 or ed25519
        default:rsa:2048
    - eeprefix: prefix to EE cert's subject's CN
    - l: length of CA chain
        default:1
  = default: export default setup or freeradius user file
    = setup:
      - f: export file name
        default:default_myikev2.setup
    = freeradius:
      - c: the number of credentials
        default:10
      - f: export file name
        default:users
      - temp: freeradius user config template
        default:bob&d    Cleartext-Password := "bob"
  = cli: connect to a myikev2 instance's interactive CLI
    - svr:
        default:127.0.0.1:12330
  = daemon: start myikev2 test daemon
    - lf: log file path
        default:myikev2_daemon.log
    - loglvl: logging level
        default:2
    - p: enable profiling
        default:false
    - listen: listening address:port
        default:0.0.0.0:12240
  = control:
    = cli: enter myikev2 controller interactive CLI
      - c: config file for the controller
        default:/etc/myikev2_controller.conf
      - lf: log file path
        default:myikev2_controller.log
      - o: override existing test instance
        default:true
    = example: create an example recipe file
  = echosvr: start UDP echo server
    - count: number of listening address
        default:1
    - port: listening port
        default:9922
    - startip: starting listening addr
    - step: step
        default:1

myikev2 exec

myikev2 exec execute the test setup file specified by -f <setup_file_path>; test setup file is a single YAML file that defines the test, see setup file for details.

-l <license_file_path> specifies an alternative location for license file than default location (/etc/myikev2.lic); without a valid license file, MyIKEv2 will run in trial mode;

-lf <log_file_path> specifies log file path; default is myikev2.log at current directory.

With -i , an interactive shell will be opened after the setup file is loaded, which allows user to monitor running test;

With -j, the tunnel creation result will be printed in JSON format

With -flush false, MyIKEv2 will not flush the binding-interface and XFRM states/policy

-p is used for collecting MyIKEv2’s running information, used for troubleshoot MyIKEv2 itself

-crlf specifies crash log file

Example

• myikev2 exec -f testcase1.setup : run test as defined in file testcase1.setup
• myikev2 exec -f testcase1.setup -i -lf /var/log/testcase1.log : run test as defined in file testcase1.setup, open the interactive shell, and log to /var/log/testcase1.log

myikev2 createpki

myikev2 createpki creates PKI keys/certificates in batch, which could be used for IKEv2 authentication testing;

Basic usage is myikev2 createpki -c <number_of key/cert> -cadir <CA_certs_dirname> -eedir <EE_certs_dirname>, which will create following files:

• under cadir:

  • rootca.cert: Root CA certificate
  • rootca.key: Root CA’s key
  • sub-lv-1_myikev2.cert: a sub-CA’s certificate, signed by Root CA
  • sub-lv-1_myikev2.key: sub-CA’s key

• under eedir:

  • ee-<x>_myikev2.cert: A End Entitiy certificate, signed by sub-lv-1_myikev2, x is from 0 to number speicifed by -c
  • ee-<x>_myikev2.key: the key of corresponding certificate

• note: the type of above cert/key are by default RSA

-keytype {rsa:<keylen>|ecdsa:<curve>|ed25519} is used to specify the type of key

-l <number> is used to specify the number of sub-CA in the CA chain, by default is 1, could be 0;

myikev2 default

myikev2 default setup -f <filename> export a default setup file to <filename>, which could be served as starting point of a new setup file.

myikev2 default freeradius -f <filename> -c <count> -temp <template_string> export a freeradius user config file with number of <count> entries, by using a template string; the &d in template string will be replaced by an increasing number start from zero; for example myikev2 default freeradius -f users -c 3 -temp "bob&d Cleartext-Password := \"bob\"" will export a users file with following content:

bob0    Cleartext-Password := "bob"
bob1    Cleartext-Password := "bob"
bob2    Cleartext-Password := "bob"

myikev2 daemon

run MyIKEv2 as daemon, which could be controlled by a controller, see controller doc for details

myikev2 control cli

Enter MyIKEv2 controller interactive CLI, see controller doc for details

myikev2 control example

creates example controller configuration and recipe files, see controller doc for details

myikev2 echosvr

run MyIKEv2 echo server, see ping doc for details

5 - MyIKEv2 Interactive Shell

MyIKEv2 provides an interactive CLI when using -i parameter for myikev2 exec command. It provides following commands:

- log
set log level and filter keyword; log [-kw <keyword>] {-l <level>|no}
'log -l no' to disable logging

- uptime
display uptime

- quit
Exit

- psummary
Ping tasks summary
psummary [-start <start>] [-len <len>]

- clearping
clear ping stats

- dump
dump a IKE SA: dump <IKE_SA_OWN_SPI>

- list
show list of IKE SA

- listchild
list all CHILD_SA of the specified IKE_SA: listchild <ike_spi>

- dumpchild
dump specified CHILD_SA: dumpchild <child_spi>

- rekeychild
rekey specified CHILD_SA: rekeychild <child_spi>

- pool
Address pool usage

- shell
go into system shell

- stop
stop all tunnels gracefully

summary

Command summary prints out current running summary of MyIKEv2:

myikev2>>summary
Test setup file: psk.setup
Test started at Wed, 10 Apr 2019 16:01:30 PDT
Tunnel creation started at Wed, 10 Apr 2019 16:01:34 PDT
Tunnel creation finished at Wed, 10 Apr 2019 16:01:51 PDT;
100 tunnel created; took 16.588848566s; avg 6.0281463 tunnels per second
Total number of configed tunnels: 100
IKE SA stats: 100 total, Live 100, 100 has child
Initial: 0              Created: 0
Established: 100        Rekeying: 0
Rekeyed: 0              Closing: 0
Closed: 0

psummary

Command psummary prints out current running summary of ping tasks:

myikev2>>psummary
Ping tasks summary:
Total tasks: 10
Total sent pkt:310                      Total recvd pkt:310

log

Command log -l <new_level> change current STDOUT log level (note: this is different from file log level specified in setup file)

use log -l no to disable STDOUT logging

optional -kw <keyword> specifies the keyword to filter log message

use log without any parameter to display current setting "

myikev2>>log -l 5 -kw 92EA3066263FCF8D
new log level is now 5
now filter log that contains '92EA3066263FCF8D'

uptime

Command uptime prints out running time:

myikev2>>uptime
Current Mon, 21 Jan 2019 16:07:03 PST, Setup started at Mon, 21 Jan 2019 16:03:14 PST,  running time: 3m49s

list

Command list print a list SPI of existing IKE SA, it accepts two parameters:

• -start <index>: the index of first returned IKE SA
• -len <number>: the number of returned IKE SA

myikev2>>list -len 5 -start 0
following are the IKESA SPIs from 0 to 5
FBD386BA6A47029A
06AE54F413623931
B893DBAE20FF1EF7
D76A0444DE3D89B4
09FC098CE8455955
DE0575F7B4A0DFC9

dump

Command dump prints the details of a given IKE SA by its SPI:

myikev2>>dump 5DFA8EF4CD3FE5F8

Own spi: 5DFA8EF4CD3FE5F8               Peer spi: 5DFA8EF5C308A7AC
Own addr: 11.1.0.2                      Peer addr: 11.1.0.1
State: established                      Close code: n/a
Enc Alg: aes-cbc                        Enc Keylen: 16
Integrity Alg: sha256                   Prf Alg: sha256
Own Auth: psk                           Peer Auth: psk
My Id Type: IPV4_ADDR                   Hash Alg for DS: sha1-96
Use RSA PSS: false                      Psk: pre-shared-key
Initiae DPD: true                       Force DPD: false
DPD interval: 30s                       IKE lifetime: 10m0s
Rekey Margin time: 1m0s                 Jitter: true
Install Fastpath: true                  Keep CHILD_SA history: false
Keep IKE_SA history: false              Enable NAT-T: false
NAT-T keepalive interval: 30s
creation time: Wed, 18 Dec 2019 12:41:26 PST
Last Rcv Pkt time: Wed, 18 Dec 2019 12:41:26 PST
Last send DPD req time: Wed, 18 Dec 2019 12:41:24 PST
Keys:
SK_ei: CB07C6B318ABD9631D9DD2FB9942C3A3
SK_er: C1719A1969EC844EB80F89BF72713C1F
SK_ai: B6D3BE0C7B7789E0A256538C572F34F5CFD9255982D3DA629F79DE3966653C41
SK_ar: BF3C54610BB7D058ABD65559EEDA78C65E361267A316D2522A2277784FD79663

listchild

Command listchild <IKE_SA_SPI> return a all CHILD_SA’s SPI of the specified IKE_SA;

myikev2>>listchild 5DFA9BD4825D0DED
624B2A

dumpchild

Command dumpchild <CHILD_SA_sPI> prints details of the specified CHILD_SA;

myikev2>>dumpchild 23137B18

State:established
Tunnel mode: true                       Parent IKESA: 5DFBC6027BDA3761
Own spi: 23137B18                       Peer spi: E8B3F2C9
Own addr: 11.1.0.2                      Peer addr: 11.1.0.1
Enc alg: aes-cbc                        keylen: 128
Integrity alg: sha256                   lifetime: seconds:300
ESN: false                              Replay Window Size: 256
creation time: Thu, 19 Dec 2019 10:48:36 PST
OwnTS:
type:ipv4, protocol:any, addr-range: 192.168.100.1 - 192.168.100.1, port-range: 0 - 65535
PeerTS:
type:ipv4, protocol:any, addr-range: 9.9.9.9 - 9.9.9.9, port-range: 0 - 65535
SK_ei:1D1E3F73972DB25C5DE447478D4BB78F
SK_er:0DEF882A30D456B43EE3AE9658ACE4AA
SK_ai:DB85C1E113C1F646F621D56D2504E94FD35ED4180BE82B4DD4E34134C551A570
SK_ar:1C05234E5ACA7F43A01FCEEE05B18B2C3EF2816D22A6CCCFD70CD22B69B5C528

rekeychild

rekeychild <child_spi> triggers the rekey for the specified the CHILD_SA

psummary

This command prints out the stats of specified ping tasks:

client-1>>psummary -len 10
Ping tasks summary:
8.8.8.1 <-> 9.9.9.1: send 682925 recv 682925, miss 0
8.8.8.2 <-> 9.9.9.2: send 682925 recv 682925, miss 0
8.8.8.3 <-> 9.9.9.3: send 682925 recv 682924, miss 1
8.8.8.4 <-> 9.9.9.4: send 682925 recv 682923, miss 2
8.8.8.5 <-> 9.9.9.5: send 682925 recv 682922, miss 3
8.8.8.6 <-> 9.9.9.6: send 682925 recv 682922, miss 3
8.8.8.7 <-> 9.9.9.7: send 682925 recv 682922, miss 3
8.8.8.8 <-> 9.9.9.8: send 682925 recv 682922, miss 3
8.8.8.9 <-> 9.9.9.9: send 682925 recv 682922, miss 3
8.8.8.10 <-> 9.9.9.10: send 682925 recv 682922, miss 3
Total(showing) tasks: 10
Total(showing) Sent:6829250 Recv:6829229, Miss:21
Gloabl Sent:6829250 Recv:6829229, Miss:21

clearping

This command clears ping stats

shell

This command drops into system shell

pool

This command prints internal address pool usage (gateway only)

stop

This command stops all tunnels gracefully (e.g. sending IKE delete msg to peer)

6 - IPsec Mode & Tunnel Type

MyIKEv2 support both transport mode and tunnel mode, for tunnel mode, following two types of IPsec tunnel as either tunnel initiator or responder are supported:

• LAN-to-LAN (L2L) tunnel
• Remote-Access (RA) tunnel

The key difference is RA tunnel uses IKEv2 configuration payload while L2L does not.

For client role, the tunnel type is specified by value of “ratunnel” in setup file:

• true: RA
• false: L2L

For gateway role, the tunnel type is based if the peer include configuration payload in IKE_AUTH request.

LAN-to-LAN Tunnel

L2L tunnel is typically used for router-to-router connection, a.k.a LAN-to-LAN;

LAN_1 --- R1 ----L2L_Tunnel --- R2 --- LAN_2

The clear traffic of L2L tunnel could come either from local host or from other hosts behind it; with above example, the clear traffic R1 forward into L2L tunnel could either come from R1 locally or from other hosts on LAN_1;

Remote-Access Tunnel

RA tunnel is typically used for road-warrior remote access, a.k.a cooperate remote-access VPN;

client --- RA_Tunnel --- VPN_GW --- Private_LAN

Client will typically request an internal address and DNS server address from VPN_GW to access Private_LAN; the assignment is done via negotiation of IKEv2 configuration payload.

Client in this case it typically a PC or a mobile device; the all clear traffic client send into RA tunnel comes from local host, and uses assigned internal address as the source address of the clear traffic; the negotiated TSi is typically the assigned_addr/32 or assigned_address/128.

Transport Mode

To use transport mode, configure childlist->tunnelmode: false in setup file, which is a per CHILD_SA configuration.

Fastpath

see Fast Path

7 - Data Path

The datapath of MyIKEv2 rely on Linux kernel XFRM Framework, it uses “ip xfrm” and “ip route” command to add XFRM state/policy and corresponding routes;

Datapath is installed when “installfastpath” in setup file is set to “true”; if only IKEv2 protocol tests are required, this setting could be turned off to save resources;

MyIKEv2 use route table 330 to store all generated routes;

For TCP encap, a linux kernel >= v5.6 is required.

Datapath of Remote-Access Tunnel

Remote-Access Tunnel is where IKEv2 configuration payload is used to request IPv4/IPv6 Internal address/DNS from DUT; typical use case is road-warrior;

Following is an example of installed XFRM state/policy and route:

The example tunnel has following attributes:

• local tunnel address is 11.1.0.2, peer’s is 11.1.0.1
• negotiated TSi is 192.168.1.100/32 (the assigned internal address)
• negotiated TSr is 192.168.2.0/24
• enp0s10 is the egress interface to reach peer

root@myikev2:~# ip xfrm state
src 11.1.0.1 dst 11.1.0.2
        proto esp spi 0x73ff0a18 reqid 1 mode tunnel
        replay-window 0
        auth-trunc hmac(sha1) 0xf28ac369864e7d46421651fb49e753a314e40b91 96
        enc cbc(aes) 0x3f21e63bdab65797b5607a4f1f4137ee
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 0.0.0.0/0 dst 0.0.0.0/0
src 11.1.0.2 dst 11.1.0.1
        proto esp spi 0xc1cac31d reqid 1 mode tunnel
        replay-window 0
        auth-trunc hmac(sha1) 0x26e8f81adb58014aed8893fa37ec2b951768edbe 96
        enc cbc(aes) 0x4feb7f5e23b1a7afe2960db37d833b3e
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src 0.0.0.0/0 dst 0.0.0.0/0
root@myikev2:~# ip xfrm policy
src 192.168.2.0/24 dst 192.168.1.100/32
        dir fwd priority 0
        tmpl src 11.1.0.1 dst 11.1.0.2
                proto esp reqid 1 mode tunnel
src 192.168.2.0/24 dst 192.168.1.100/32
        dir in priority 0
        tmpl src 11.1.0.1 dst 11.1.0.2
                proto esp reqid 1 mode tunnel
src 192.168.1.100/32 dst 192.168.2.0/24
        dir out priority 0
        tmpl src 11.1.0.2 dst 11.1.0.1
                proto esp spi 0xc1cac31d reqid 1 mode tunnel
root@myikev2:~# ip route list table 330
192.168.2.0/24 dev enp0s10 proto static scope link src 192.168.1.100

The assigned internal address 192.168.1.100 is used as source address for traffic destined to 192.168.2.0/24.

Datapath for LAN-to-LAN Tunnel

LAN-to-LAN is where IKEv2 configuration payload is not used; typical use case is to connect two routers;

Following is an example of installed XFRM state/policy and route:

The example tunnel has following attributes:

• local tunnel address is 2001:dead::1, peer’s is 2001:dead::ffff
• negotiated TSi is 2001:aaaa::1/128
• negotiated TSr is 2001:abcd::1/128
• enp0s10 is the egress interface to reach peer

root@myikev2:~# ip xfrm state
src 2001:dead::ffff dst 2001:dead::1
        proto esp spi 0x3be2f2a6 reqid 1 mode tunnel
        replay-window 0
        auth-trunc hmac(sha1) 0x9a402be9b41c0c28511b1541ae914b9446e8f2b4 96
        enc cbc(aes) 0x0ac7738a8d0c72a083cef19eab042609
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src ::/0 dst ::/0
src 2001:dead::1 dst 2001:dead::ffff
        proto esp spi 0xc6dcb76d reqid 1 mode tunnel
        replay-window 0
        auth-trunc hmac(sha1) 0x2c408618a696a043465fe218a4404785aeb61a58 96
        enc cbc(aes) 0xb0c44374d7e5a903fc78a92a691b06cf
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
        sel src ::/0 dst ::/0
root@myikev2:~# ip xfrm policy
src 2001:abcd::1/128 dst 2001:aaaa::1/128
        dir fwd priority 0
        tmpl src 2001:dead::ffff dst 2001:dead::1
                proto esp reqid 1 mode tunnel
src 2001:abcd::1/128 dst 2001:aaaa::1/128
        dir in priority 0
        tmpl src 2001:dead::ffff dst 2001:dead::1
                proto esp reqid 1 mode tunnel
src 2001:aaaa::1/128 dst 2001:abcd::1/128
        dir out priority 0
        tmpl src 2001:dead::1 dst 2001:dead::ffff
                proto esp spi 0xc6dcb76d reqid 1 mode tunnel
root@myikev2:~# ip -6 route list table 330
2001:abcd::1 dev enp0s10 metric 1024 pref medium

In case of LAN-to-LAN tunnel, for each TS in TSr, MyIKEv2 will create a route with the smallest prefix length that covers the address range in the TS;

Limitations

• currently, dual stack(IPv4 + IPv6) is not supported in a single CHILD_SA

8 - Crypto Algorithms

This file list all supported MyIKEv2 crypto and its value in the test setup file

IKE SA Encryption

• 3des
• aes-cbc:<keylen> AES-CBC; when configure this in setup file, a key length suffix is also needed; e.g. aes-cbc:128 means AES-CBC with 128bit key length
• aes-gcm-16:<keylen> : AES-GCM with 16 bytes authentication tag
• aes-gcm-12:<keylen> : AES-GCM with 12 bytes authentication tag
• chacha20-poly1305

IKE SA Integrity

• md5-96 : MD5
• sha1-96 : SHA1
• sha256 : SHA256
• sha384 : SHA384
• sha512 : SHA512

IKE SA PRF

• md5 : MD5
• sha1 : SHA1
• sha256 : SHA256
• sha384 : SHA384
• sha512 : SHA512

ESP/Fastpath Encryption

• null
• 3des
• aes-cbc:<keylen> AES-CBC; when configure this in setup file, a key length suffix is also needed; e.g. aes-cbc:128 means AES-CBC with 128bit key length
• aes-gcm-16:<keylen> : AES-GCM with 16 bytes authentication tag
• aes-gcm-12:<keylen> : AES-GCM with 12 bytes authentication tag
• chacha20-poly1305

Diffie-Hellman Group

1/2/5/14/15/16/17/18/19/20/21/31

PKI Key Type

• RSA
  • with myikev2 createpki generated key:
    • CA: 4096bit
    • EE: 2048bit
  • Other source:
    • any
• ECDSA with following curves:
  • with myikev2 createpki generated key:
    • CA: P521
    • EE: P384
  • Other source:
    • P224/P256/P384/P521
• Ed25519

9 - EAP Authentication

MyIKEv2 doesn’t support any EAP method directly, however it support IKEv2 EAP authentication via one of following methods:

• Client role
  • eap-file
  • eap-snoop
• Gateway role
  • EAP authentication via RADIUS server

Client Role

eap-file

eap-file works like following:

• User need to obtain a pcap file that contains packets of a successful RADIUS EAP authentication;
• MyIKEv2 will function as both IKEv2 EAP client and a RADIUS server as following

myikev2(As IKEv2 EAP client/peer) --- DUT (as EAP Authenticator ) --- myikev2(as RADIUS EAP server)

so this means DUT must enable EAP RADIUS feature as defined in RFC3579.

• MyIKEv2 will extract the EAP-Message from each RADIUS packet in pcap file, and pass it through DUT via standard IKEv2 EAP authentication procedure.
  • the EAP-Message in request message in pcap file is used by MyIKEv2 as IKEv2 EAP payload to DUT
  • the response message in pcap file is used by MyIKEv2 radius server to respond to DUT

Setup eap-file

1. Create or obtain a pcap file contains one successful radius authentication session for the EAP method you need to test. one way to create a such pcap file is to use eapol_test and freeradius (freeradius source contains eapol_test).

2. Configure following options in “ikeconf” section of MyIKEv2 setup file:

• authownmethod: set this to “eap” or “eap-only”
• eapimplementaion: set this to “eap-file”
• authpeermethod: the method used to authentication peer
• eapfile: the path to the pcap file
• eapradiusss: radius shared secret of eapfile; DUT also needs to use this as radius share secret
• eapradiussvr: the listening address of radius server; DUT need to be configured to use this as radius server
• eapradiusid: the radius attribute type in message sent by DUT to radius server that myikev2 radius server uses to uniquely identify a radius auth session in access-request;
  • it has to be unique across session, could be e.g, “44” (acct-session-id) or “31”(calling-station-id);
  • this is NOT the attribute in RADIUS request message of the pcap file, this is from DUT.
• myid: it might be necessary to set this to EAP identity

Notes

• for RADIUS request messages in the pcap file, only EAP-Message attribute is used, other are ignored.
• All tunnels define in a setupfile uses same EAP messages from pcap, so they all derive same MSK
• In case of a MyIKEv2 client with eap-file config inter-op with a MyIKEv2 gateway, make sure the gateway uses same eapradiusid as the client
• In case of scale test, the setupinterval can’t be too small, as a rule of thumb should be >=100ms

eap-snoop

eap-snoop works like following:

• MyIKEv2 runs eapol_test as EAP supplicant
• MyIKEv2 snoop/intercept the EAP message between eapol_test and IKEv2 peer
• The actual EAP authentication is between eapol_test and IKEv2 peer

setup eap-snoop

Configure following options in “ikeconf” section of MyIKEv2 setup file:

• authownmethod: set this to “eap”
• eapimplementaion: set this to “eap-snoop”
• authpeermethod: the method used to authentication peer
• eapoltestpath: the path point to binary of eapol_test
• eapoltestconf: the config for eapol_test; note this could be a multi-line string in YAML format; following is an example for EAP-TLS:

  eapoltestconf: |
    network={
        key_mgmt=WPA-EAP
        eap=TLS
        identity="ee-0_myikev2"
        ca_cert="/root/certs/rsa/rootca.cert"
        client_cert="/root/certs/rsa/ee-0_myikev2.cert"
        private_key="/root/certs/rsa/ee-0_myikev2.key"
        private_key_passwd="whatever"
    }

• myid: it is might be necessary to set this to EAP identity

Unique EAP Credential

“&d” in eapoltestconf will be replaced by tunnel index during runtime; for example “user-&d” will become “user-0” for first tunnel, “user-1” for 2nd tunnel..so on.

This could be used for having unique EAP credentials for each tunnel.

As a related feature, myikev2 default -t fr -frtemp <user_config_template_string> -c <count> command could be used to generate a simple freeradius users config file, which could be used for gateway side;

also setting myid to “eapol-test-conf” will change IDi to the identity value in eapoltestconf.

Notes

• leap is not supported with eap-snoop

Example setup file for eap-snoop

This setup file uses EAP-TLS:

runningtime: 30m
abortonerr: false
numberoftunnels: 10
loglevel: 3
startclntaddr: "11.1.0.2/8"
peeraddr: "11.1.0.1"
bindifname: "enp0s10"
bindifaddr: "11.254.254.254/8"
staticroute: ""
setupinterval: 100ms
owntsaddrincrease: 0
peertsaddrincrease: 0
ikeconf:
  dhgrpid: 14
  ikeintegrityalg: sha1-96
  ikeencyptalg: aes-cbc:128
  ikeprfalg: sha1
  authpeermethod: psk
  authownmethod: eap
  eapimplementaion: eap-snoop
  eapoltestpath: /root/eapol_test
  eapoltestconf: |
    network={
        key_mgmt=WPA-EAP
        eap=TLS
        identity="ee-0_myikev2"
        ca_cert="/root/certs/rsa/rootca.cert"
        client_cert="/root/certs/rsa/ee-0_myikev2.cert"
        private_key="/root/certs/rsa/ee-0_myikev2.key"
        private_key_passwd="whatever"
    }
  eapfile: ""
  eapradiusss: ""
  eapradiussvr: ""
  eapradiusid: 31
  myid: "ee-0_myikev2"
  cadir: ""
  eedir: ""
  dshashalg: sha256
  usersapss: false
  psk: "mypsk123"
  initiatedpd: true
  forcedpd: false
  dpdinterval: 30s
  ikelifetime: 10m0s
  margintime: 60s
  installfastpath: false
  keepchildhistory: false
  keepikehistory: false
  ratunnel: true
  enablenatt: false
  nattkeepaliveinterval: 0s
  ikev2msgmaxsize: 0
  childlist:
  - integrityalg: sha1-96
    encalg: aes-cbc:128
    protocol: esp
    lifetime: 5m0s
    esn: false
    pfsenabled: true
    pfsgrpid: 14
    replaywindowsize: 256
    ownts:
    - type: v4
      protocol: 0
      startport: 0
      endport: 65535
      startaddr: 0.0.0.0
      endaddr: 255.255.255.255
    peerts:
    - type: v4
      protocol: 0
      startport: 0
      endport: 65535
      startaddr: 0.0.0.0
      endaddr: 255.255.255.255

Build eapol_test

1. download wpa_supplicant source from https://w1.fi/releases/wpa_supplicant-2.7.tar.gz
2. tar xvf wpa_supplicant-2.7.tar.gz
3. cd wpa_supplicant-2.7/wpa_supplicant
4. wget https://raw.githubusercontent.com/FreeRADIUS/freeradius-server/master/scripts/travis/eapol_test/config_linux -O .config
5. make eapol_test

Gateway Role

As gateway, MyIKEv2 support IKEv2 EAP authentication via a RADIUS server as speicifed by RFC3579, so the actual EAP exchange is between IKEv2 peer and RADIUS server;

gateway sends EAP-Start message to radius server upon receiving first IKE_AUTH request from client.

Following options in setup file are used in this case:

• eapradiussvr: RADIUS sever address
• eapradiusss: RADIUS share secret
• eapradiusid: the radius attribute type that’s used to identify the session, gateway will insert the specified radius attribute with corresponding IKE_SA’s own SPI as value in access-request
• eapsendstart: if true, the gateway sends EAP-Start to radius server at the beginning of EAP exchanges; otherwise, sends EAP-ID/Response with User-Name to radius server first

Other eap options in setup file are ignored;

EAP-Only

MyIKEv2 support EAP-ONLY (RFC5998), which is enabled by setting:

• client role: authpeermethod: eap-only
• gateway role: authownmethod: eap-only

with EAP-Only, if peer also supports it and choose to use it, then msg-4 (IKE_AUTH response) will not contain AUTH payload; but if peer still choose to include AUTH payload in msg-4, then MyIKEv2 will verify it and fail tunnel setup if verification failed;

10 - MOBIKE (RFC4555)

MyIKEv2 supports MOBIKE (IKEv2 Mobility and Multihoming Protocol, RFC4555) as either tunnel initiator or tunnel responder; The support includes:

• change own tunnel address
• change peer’s tunnel address
• change both own and peer’s tunnel address
• Accept peer updates of its tunnel address
• Fastpath support

Configuration

client role: There are following settings in setup file for MOBIKE

• mobike: set to true to enable MOBIKE
• mobikeaddrpertunnel: the number of own tunnel address for each tunnel
• mobikeiplifetime: the amount of time MyIKEv2 wait before change to next address
• mobikechangeaddrtype: own-only|peer-only|both; own-only only change own address, peer-only only changes peer address; both changes both own and peer address
• ikesa->disallownat: set to true to include NO_NATS_ALLOWED notification in IKE_AUTH request and UPDATE_SA_ADDRESSES request.

gateway role: There are following settings in setup file for MOBIKE

• mobike: set to true to enable MOBIKE
• mobikeaddrpergw: the number of own tunnel address for the gateway

How does it work (client role)?

Once enabled, MyIKEv2 will change its own address and/or peer’s address (based on mobikechangeaddrtype) every mobikeiplifetime; The mobikeaddrpertunnel specifies how many own address each tunnel has, the addresses are allocated for each tunnel as following:

• for example, if startclntaddr is “192.168.1.1/24”, and mobikeaddrpertunnel is 3, then 1st tunnel get 3 addresses: 192.168.1.1, 192.168.1.2, 192.168.1.3; 2nd tunnel get 3 addresses: 192.168.1.4,192.168.1.5,192.168.1.6; and so on …

The available peer’s tunnel addresses are peeraddr in setup file plus the addresses signed by peer via ADDITIONAL_IP4_ADDRESS and ADDITIONAL_IP6_ADDRESS Notify Payloads, in IKE_AUTH response and peer initiated information request.

How does MyIKEv2 pick next address (client role)?

This depends on mobikechangeaddrtype:

• own-only: next address in own address list, which is specified by startclntaddr and mobikeaddrpertunnel
• peer-only: next address in the latest available peer address list, which is the current in-using peer address plus address signed by peer
• both: the next combination of own address list and latest peer address list

How does it work (gateway role)?

MOBIKE address change is driven by tunnel initiator, so as tunnel responder, MyIKEv2 only respond to peer’s address change request.

Linux Reverse Path Filter

Reverse path filtering is a mechanism supported by the Linux kernel to check whether a receiving packet comes in via right interface. the purpose is to prevent address spoofing used in DoS attack;

However with MOBIKE, in certain test setup, with address change, the IPsec packet might come in via a different interface, which will fail reverse path checking, and depends on kernel setting, the packets might get dropped;

So to simplify the test setup, user could choose to disable reverse path filter in Linux as following:

Disable Linux IPv4 Reverse Path Filtering

sysctl -w net.ipv4.conf.<inteface1-name>.rp_filter=0
sysctl -w net.ipv4.conf.<inteface2-name>.rp_filter=0
sysctl -w net.ipv4.conf.all.rp_filter=0

Disable Linux IPv6 Reverse Path Filtering

ip6tables  -t raw -A PREROUTING  -m rpfilter -j ACCEPT
ip6tables -t raw -A PREROUTING  -m rpfilter --invert -j ACCEPT

11 - Built-in Ping test

MyIKEv2 has a built-in ping test feature; MyIKEv2 could automatically start ping sessions after tunnels are created, the ping session will keep running until test finishes, then reports number of packets sent/received. The number of ping sessions is determined by:

• client role: the number of successfully created IPsec tunnels
• gateway role: numberoftunnels in setup file

Config

Ping test is enabled by setting destaddr in pingconf section of setup file:

pingconf:
  autoaddr: false
  ptype: icmp
  udpport: 9922
  destaddr: "192.168.1.100"
  deststep: 1
  srcaddr: ""
  srcstep: 1
  interval: 1s
  pktlen: 64
  maxlossrate: 10
  holdtime: 10s

• autoaddr: if set as true, then src/dst address of ICMP ECHO request will be the first address in TSi/TSr address range
• ptype: type of ping, icmp or udp; refer to below section for details of UDP
• udpport: UDP port in case of UDP ping, used as both src and dst
• destaddr: the ping destination for 1st tunnel
• deststep: the number of step increase for destination addr of each following tunnel; for example with above config, 2nd tunnel’s ping destination is 192.168.1.101, 3rd tunnel is 192.168.1.102 …
• srcaddr: specifies the ping source address for 1st tunnel; if empty, it means it let OS automatically select source; leave empty for RA tunnel
• srcstep: the number of step increase for src addr of each following tunnel; only applies when srcaddr is not empty
• interval: interval between send ping ECHO request
• setupinterval: interval between creating two consecutive ping tasks; shouldn’t be too small in scale test to avoid all ping task sending at the same time.
• pktlen: the size of ping packet send; note: the actual IP pkt size is bigger than this, since this only specifies ping payload size.
• maxlossrate: the max allowed packet loss rate in percentage, a float number between 0-100; if the packet loss rate exceed this value, then an error event will be generated;
• holdtime: the amount of time system waits before start ping, after all tunnel are created (as client role) or gateway is created (as gateway role)

UDP Ping

To use UDP ping, myikev2 echo server need to be running as ping target, which will reflect received UDP packet back to the sender.

  myikev2_udp_ping <---------> myikev2_echo_svr

echo server could be started vi command myikev2 echosvr.

= echosvr: start UDP echo server
    - count: number of listening address
        default:1
    - port: listening port
        default:9922
    - startip: starting listening addr
    - step: step
        default:1

the echo server listening one or multiple addresses with the specified port, the step specifies delta between two consecutive addresses, for example command myikev2 echosvr -startip 1.1.1.1 -count 3 -port 3344 -step 2 will create a server listening on 3 addresses 1.1.1.1, 1.1.1.3 and 1.1.1.5 with listening port 3344.

note: echo server will automatically add listening addresses to interface lo, so user doesn’t need to add them manually, it also means using this command requires root privilege.

CLI

There are following shell CLI commands relate to ping test:

• MyIKEv2 CLI:

  • psummary: display the ping stats
  • clearping: clear ping stats

• Controller CLI: *list: list instance status, which include ping stats *clearping: clear ping stats

Limitation

The built-in ping is currently not designed for big load testing, which could cause inaccurate result, specially icmp ping.

12 - Tunnel Flapping Test

Tunnel flapping is a IKEv2 stress testing feature allows user to specify a number of client tunnels doing following step:

1. Tunnel is created for the 1st time
2. wait a interval
3. remove the tunnel and re-establish it, Goto Step-2

This feature is configured by flapconf section in setup file:

flapconf:
  # enable/disable tunnel flapping
  flapping: false
  # number of tunnel flapping, must <= numberoftunnels
  # -1 means same as numberoftunnels
  numoftunnel: -1
  # the interval between two dials is a random number between minflapinterval and maxflapinterval
  # minflapinterval must >= 10s
  minflapinterval: 30s
  maxflapinterval: 1m0s

13 - MyIKEv2 Daemon & Controller

Some test cases could require running multiple MyIKEv2 instances on one or multiple servers; one example is large scale test, where multiple MyIKEv2 test instances on multiple server are needed; MyIKEv2 supports such test case in a simple and orchestrated way by using MyIKEv2 daemon and controller;

                 --- SVR1[daemon --> MyIKEv2_Instance_1,MyIKEv2_Instance_2 ...]
controller ---- |--- SVR2[daemon --> MyIKEv2_Instance_3,MyIKEv2_Instance_4 ...]
                 --- SVR3[daemon --> MyIKEv2_Instance_5,MyIKEv2_Instance_6 ...] 

• MyIKEv2 Daemon: a daemon process running on a given server, it manages (like creating/stoping ..etc) MyIKEv2 instances by accepting API calls from the MyIKEv2 controller; there is only one daemon process per server;
• MyIKEv2 Controller: the controller to control all daemons, it manages the test cases by by controlling the daemon processes on each server; only one controller globally is required;
• Recipe: a YAML file specified by user, which defines the test case that could be launched by using the interactive CLI of controller; each recipe defines one or multiple MyIKEv2 instances;
• MyIKEv2 Instance: a instance is a “myikev2 exec” instance running in its own Linux network namespace, which means each instance has its own interfaces, route table and xfrm policy/states, the instance and its namespace is created by the daemon

Network Provisioning

Before using this feature, there are some network plumbing work to do, which include provision of:

• Management Networking: networking for controller <-> daemon message, and daemon <-> instances message
• Data Networking: networking for actual IPsec/IKE packets of MyIKEv2 instances

Management Networking

• For each server, user needs to specify a IPv6 prefix in control’s config file, and each myikev2 instance will get a management IP address within that prefix.
  • user need to provision routing between controller and each server so that these management prefix are reachable from controller
  • auto assigning could be disable by set autoassignmgmtip to false in controller’s config file; if disabled, then each instance’s managment is specified by apilistenaddr in instance’s setup file.
• On each server, daemon will create a bridge: myikev2mgmtbrg
• For each myikev2 instance, a pair of veth interfaces are created by daemon, one end is attached to myikev2mgmtbrg, the other end is assigned to the instance’s namespace; daemon also attaches the instance’s management address to the veth interface in the namespace ;
• daemon creates a default route in the namespace with nexthop as the veth if
• daemon creates a host route for each instance in base namespace with nexthop as the myikev2mgmtbrg
• there is no address needed on bridge if and veth if in the base

Data Networking

For actual IKEv2/IPsec traffic, user need to have an interface for each namespace that provides connectivity needed for the test case; the interface is specified by bindifname in the MyIKEv2 setup file; daemon will move the interface into the instance’s namespace when creating the MyIKEv2 instance.

Configuration

There are following type of configuration files are needed:

• Controller’s config file
• Recipe: one per test case
• Setup: one per MyIKEv2 instance in the recipe

Controller Configuration

Controller configuration file is a YAML file contains following parts:

• daemonlist: a dictionary, key is the svr/daemon name, value is a struct:
  • daemonaddr: daemon’s listening address
  • daemonport: daemon’s listening port
  • sshaddr: server’s SSH address
  • sshport: server’s SSH port
  • sshuser: server’s SSH username
  • sshpass: server’s SSH password
  • sshkeypath: user ssh private key path
  • mgmtaddrprefix: the IPv6 prefix for auto assigning instance’s management IP
• varlist: a dictionary, key is the variable name, value is the variable value; the variable defined here could be used in command strings (like setupcmds and cleancmds) in recipe;
• autoassignmgmtip: boolean, true or false;

Following is an example:

daemonlist:
  svr1:
    daemonaddr: 1.1.1.1
    daemonport: 12240
    sshaddr: 1.1.1.1
    sshport: 22
    sshuser: root
    sshpass: passwd123
    sshkeypath: ""
    mgmtaddrprefix: 2001:dead:1::/64
  svr2:
    daemonaddr: 2.2.2.2
    daemonport: 12240
    sshaddr: 2.2.2.2
    sshport: 22
    sshuser: root
    sshpass: passwd123
    sshkeypath: ""
    mgmtaddrprefix: 2001:dead:2::/64
varlist:
  '%DIRPREFIX%': /root/testcases
autoassignmgmtip: false

Recipe

Recipe is a YAML file defines a test case, contains following:

• name: the name of the test case
• setupcmds: a list of shell commands run before running the test case, each is a struct contains following:
  • daemonname: name of daemon that command will be running on
  • cmds: a string contains one or multiple shell commands, separated by ;
• cleancmds: a list of shell command run after test case ended, same structure as setupcmds
• instancelist: a dictionary defines all test instances, key is the instance ID, an integer; value a struct contains:
  • name: name of instance
  • daemonname: name of daemon that the test instance will be running on
  • waitinterval: wait amount of time before starting the the instance
  • myikev2: a struct specifies the instance is a MyIKEv2 instance, contains:
    • setupath: the path to the MyIKEv2 setup file
    • logdir: the path to save the MyIKEv2 log
  • other: a struct specifies a non-MyIKEv2 instance, could be used to start a 3rd party application, like strongswan
    • setupcmds: setup commands, a string contains one or multiple shell commands, separated by ;
    • upcmds: startup commands, a string contains one or multiple shell commands, separated by ;
    • destroycmds: stop commands, a string contains one or multiple shell commands, separated by ;
    • dataif: the interface name of data traffic
    • dataifaddr: the IP address to attached to the dataif
  • note: for a given instance, either myikev2 or other needs to specified, but not both

following is an example:

name: Example MyIKEv2 Recipe
setupcmds:
- daemonname: svr1
  cmds: cmd-1;cmd-2
- daemonname: svr2
  cmds: cmd-3;cmd-4
cleancmds: []
instancelist:
  1:
    name: test-1_client
    daemonname: svr1
    waitinterval: 3s
    myikev2:
      setuppath: testc.setup
      logdir: ""
    other: null
  2:
    name: test-1_gateway
    daemonname: svr2
    waitinterval: 3s
    myikev2: null
    other:
      setupcmds: ""
      upcmds: ipsec up
      destroycmds: ""
      dataif: eth1
      dataifaddr: 172.16.100.1/24

Usage

1. create all the configuration files on controller server
2. provision networking as described above
3. run myikev2 daemon -listen <addr:port> on each daemon server
4. run myikev2 control cli -c <config_file> on controller server to start the interactive controller CLI
5. use the controller CLI to manage the test case

Controller CLI

Controller interactive CLI provides following commands:

• def -f <recipe_file_name>: start a test case specified by using a recipe file
• list [-d <daemon_name>]: list launched test instance
• cli -t <instance_name>: connect to a MyIKEv2 instance’s CLI
• shell: drop into a system shell
• clearping [-t <instance_name>]: reset specified MyIKEv2 instance’s ping stats; if instance_name is not specified, then clear all MyIKEv2 instance’s ping stats = stop [-g <true|false>] -t <instance_name>: stop a specified instance; gracefully stop a MyIKEv2 instance when -g=true

14 - MyIKEv2 API

MyIKEv2 provides two set of gRPC based APIs, 3rd party gRPC client could be developed with protobuf file in this doc.

• MyIKEv2 API: this API is used to control MyIKEv2 test instance
• MyIKEv2 Daemon API: this API is used to control MyIKEv2 daemon instance

MyIKEv2 Test API

• getting running summary of MyIKEv2
• getting running summary of ping tasks
• clear ping stats
• list created IKE_SA
• dump a specified IKE_SA
• list CHILD_SA of a specified IKE_SA
• dump a specified CHILD_SA
• subscribe to MyIKEv2 events,with specified event filter
• stop MyIKEv2
• subscribe to MyIKEv2 final test result
• initiate CHILD_SA rekey

The listening address and port of API server could be configured via following options in setup file:

• apilistenaddr
• apilistenport

note: currently, MyIKEv2 API server doesn’t support gRPC encryption/authentication;

The protobuf file:

// MyIKEv2 API
syntax = "proto3";
option go_package = "myikev2/api";
package api;

import "google/protobuf/timestamp.proto";
import "google/protobuf/duration.proto";

message Empty {}

//************** summary
message SummaryResp {
  uint32 Role =22; //1 is client, 2 is is gateway
  google.protobuf.Timestamp StartTime = 1;
  google.protobuf.Timestamp TestEndTime = 2;
  google.protobuf.Timestamp ActualTestEndTime = 26;
  google.protobuf.Timestamp CreationStartTime = 3;
  google.protobuf.Timestamp CreationFinishTime = 4;
  google.protobuf.Duration CreateDuration = 5;
  string SetupFileName = 6;
  uint32 NumOfCreatedTunnel = 7;
  float SetupRate = 8;
  uint64 Ikesa_state_init = 9;
  uint64 Ikesa_state_created = 10;
  uint64 Ikesa_state_established = 11;
  uint64 Ikesa_state_updatingaddr = 12;
  uint64 Ikesa_state_rekeying = 13;
  uint64 Ikesa_state_rekeyed = 14;
  uint64 Ikesa_state_closed = 15;
  uint64 Ikesa_state_closing = 16;
  uint64 Ikesa_state_dpd = 24;
  uint64 Ikesa_state_child_rekeying = 25;
  uint64 Ikesa_total = 17;
  uint64 Live_count = 18;
  uint64 Has_Child = 19;
  uint64 Created_live_count = 20;
  uint64 Configured_count = 21;
  uint64 Flapping_count = 23;
  uint32 Result = 27;
  string LastErrMsg = 28;
}

//************** get list of IKESA own SPI
message ListIKESAQuery {
  uint32 Start = 1; // start from zero
  uint32 Len = 2;   // 0 means return all
}

message IKESASummary {
  bytes PeerAddr = 1;
  uint32 PeerPort = 2;
  fixed64 OwnSPI = 3;
  uint32 State = 4;
  google.protobuf.Timestamp EstabTime = 5;

}

message ListIKESAResp { repeated IKESASummary SummaryList = 1; }


//************** get a list of all CHILD_SA own SPI of a given IKE_SA
message ListCHILDSAQuery {
  fixed64 IKEOwnSPI = 1;
}

message ListCHILDSAResp { repeated fixed32 OwnSPIList = 1; }

//************** dump CHILD_SA
message CHILDSAQuery { fixed32 OwnSPI = 1; }

message CHILDSADump {
  uint32 State = 1;
  fixed32 OwnSPI = 2;
  fixed32 PeerSPI = 3;
  bytes OwnAddr = 4;
  bytes PeerAddr = 5;
  fixed64 ParentIKESA = 6;
  google.protobuf.Timestamp EstabTime = 7;
  uint32 EncAlg = 8;
  uint32 KeyLen = 9;
  uint32 IntAlg = 10;
  google.protobuf.Duration LifeTime = 11;
  bytes SKei = 12;
  bytes SKer = 13;
  bytes SKai = 14;
  bytes SKar = 15;
  bool ESN = 16;
  bool TunnelMode = 17;
  uint32 ReplayWindowSize = 18;
  message TS {
    uint32 Type = 1;
    uint32 Protocol = 2;
    bytes StartAddr = 3;
    bytes EndAddr = 4;
    uint32 StartPort = 5;
    uint32 EndPort = 6;
  }
  repeated TS OwnTS = 19;
  repeated TS PeerTS = 20;
}



//************** dump IKE_SA
message IKESAQuery { fixed64 OwnSPI = 1; }

message IKESADump {
  uint32 State = 1;
  fixed64 OwnSPI = 2;
  fixed64 PeerSPI = 3;
  google.protobuf.Timestamp EstabTime = 4;
  bytes OwnAddr = 5;
  bytes PeerAddr = 6;
  uint32 PeerPort = 36;
  uint32 EncAlg = 7;
  uint32 KeyLen = 8;
  uint32 IntAlg = 9;
  uint32 PrfAlg = 10;
  uint32 OwnAuth = 11;
  uint32 PeerAuth = 12;
  uint32 MyIdType = 13;
  int32 HashAlgDS = 14;
  bool RSAPSS = 15;
  string PSK = 16;
  bool InitiateDPD = 17;
  bool ForceDPD = 18;
  google.protobuf.Duration DPDInterval = 19;
  google.protobuf.Duration LifeTime = 20;
  google.protobuf.Duration MarginTime = 21;
  bool Jitter = 35;
  bool InstallFastpath = 22;
  bool KeepChildHist = 23;
  bool KeepIKEHist = 24;
  bool EnableNATT = 25;
  google.protobuf.Duration NATTKeepaliveInterval = 26;
  google.protobuf.Timestamp LastRcvPktTime = 28;
  google.protobuf.Timestamp LastSendDPDTime = 29;
  bytes SKei = 30;
  bytes SKer = 31;
  bytes SKai = 32;
  bytes SKar = 33;
  uint32 CloseCode = 34;
}
//************** log
message EventFilter {
  uint32 Level=1;
  string keyword=2;
}
message MyIKEv2Event {
  uint32 Level =1;
  string Msg=2; 
  google.protobuf.Timestamp EventTime=3;
}

//************** ping stats request
message PingResultQuery {
  uint32 Start = 1; // start from zero
  uint32 Len = 2;   // 0 means return all
}

//*************** ping task stats
message PingResult {
  string LocalAddr =1;
  string RemoteAddr =2;
  uint64 TotalSentPkt=3;
  uint64 TotalRecvPkt=4;
}

message ListPingResult { 
  repeated PingResult ResultList = 1; 
  uint64 TotalSent = 2;
  uint64 TotalRecv =3;
}

//*************** Gateway address pool summary
message PoolUsageSummary {
  bytes V4StartAddr=1;
  bytes V6StartAddr=2;
  uint64 V4Assigned=3;
  uint64 V6Assigned=4;
}


message StopReq { bool Gracefully = 1; }

//*************** rekey child
message RekeyChildReq {
  fixed32 OwnSPI=1;
}

service MyIKEv2APISvc {
  rpc Stop(StopReq) returns (Empty);
  rpc GetSummary(Empty) returns (SummaryResp);
  rpc GetIKESA(IKESAQuery) returns (IKESADump);
  rpc ListIKESA(ListIKESAQuery) returns (ListIKESAResp);
  rpc ListCHILDSA(ListCHILDSAQuery) returns (ListCHILDSAResp);
  rpc GetCHILDSA(CHILDSAQuery) returns (CHILDSADump);
  rpc SubscrEvent(EventFilter) returns (stream MyIKEv2Event);
  rpc UpdateEventFilter(EventFilter) returns(Empty);
  rpc GetPingSummary(PingResultQuery) returns(ListPingResult);
  rpc ClearPingStats(Empty) returns (Empty);
  rpc GetPoolUsageSummary(Empty) returns(PoolUsageSummary);
  rpc NotifyFinalResult(Empty) returns (stream SummaryResp);
  rpc RekeyChild(RekeyChildReq) returns (Empty);

}

MyIKEv2 Daemon API

// MyIKEv2 daemon API
syntax = "proto3";

option go_package = "myikev2/daemonapi";

package daemonapi;

import "myikev2/api/api.proto";

message Empty {}

message DefineMyIKEv2TestReq {
  string Setup=1; 
  string LogDir=2;
}

//for non-myikev2 test, like sswan
message DefineOtherTestReq {
  string SetupCMDs=1;
  string UpCMDs=2;
  string DestroyCMDs=3;
  string DataIf=4;
  string DataIfAddr=5; //this is a prefix
  
}

message DefineGenericTestReq {
  uint32 Type = 1; //1 myikev2, 2 other
  string Name = 2;
  DefineMyIKEv2TestReq MyIKEv2Test = 3;
  DefineOtherTestReq OtherTest =4;
  bool Override = 5;
}


message StatusReq {
  string Name = 1;
}

message StatusResp {
  uint32 State = 1;
}

message ListTestStatusEntry {
  string Name = 1;
  uint32 Type =2;
  bytes APIAddr =3;
  uint32 APIPort =4;
  api.SummaryResp Status =5;
  api.ListPingResult PingResults = 6;
}

message ListTestStatusResp {
  repeated ListTestStatusEntry results = 1;
}

message DestroyReq {
  string Name = 1;
  bool Gracefully =2;
}

message ClearPingStatsReq {
  string Name =1;
}


service MyIKEv2DaemonAPISvc {
  rpc Define(DefineGenericTestReq) returns (Empty);
  rpc Status(StatusReq) returns (StatusResp);
  rpc List(Empty) returns (ListTestStatusResp);
  rpc Destroy(DestroyReq) returns (Empty);
  rpc ClearPingStats(ClearPingStatsReq) returns (Empty);
}

15 - MyIKEv2 License

MyIKEv2 require a valid license file, without it, it will run in trial mode, which has following limitations:

• max number of tunnels is limited to 10
• max running time is limited to 30 minutes

Provision License File

By default, MyIKEv2 expects license file to be as /etc/myikev2.lic; however this could be overridden by -l parameter as myikev2 exec -f <setupfile> -l <licensefile>

16 - Change Logs

ver 4.7 1/26/2024

• reworked CLI and YAML file support
• adding HASH_ALG_NOTIFY value output in debug
• fix a bug when reply to CHILD_SA rekey in transport mode, the USE_TRANSPORT notify is missing
• now HASH_ALG notify debug output shows actual ALG name
• now when receiving a IKE packet contains non-ESP marker on conn where NAT is not enabled is supported
• now GW sendIKESAINITResp use the the conn to send response same as where the request is received
• fix dshash related bug
• fix pfs group related bugs
• fix a bug where MyIKEv2 fragment IKE_SA_INTI pkt, which is not suppose to do

ver 4.6 4/14/2023

• no longer require libpcap or a specific version of glibc
• fix a bug of eap-file
• fix some bugs on fastpath

ver 4.5 2/27/2022

• add peerid/matchpeerid for client tunnel

ver 4.42 11/25/2022

• fix a bug that might cause CHILD_SA rekey fail on fastpath in scale test
• add setupinterval configuration for ping

ver 4.41 11/25/2022

• fix a memory leak bug when using UDP ping in scale test

ver 4.4 11/22/2022

• add UDP ping
• enhanced client eap-file, and gateway EAP implementations, more stable and performant

ver 4.3 11/18/2022

• improve performance of netlink based fastpath
• fix a bug cause wrong eapradiusss could cause loading radius pcap to panic
• change default test running time to 10 min

ver 4.22 10/27/2022

• fix a bug that could cause logging to stop by certain formatted payload

ver 4.21 10/17/2022

• change default IKEv2 fragmentation MTU to 1100

ver 4.2 10/5/2022

• use netlink as most of fastpath API calls, which increase the fastpath setup performance
• fix some bugs related to eapsnoop
• RA client IKE_AUTH request now include CFG_ATTR_INTERNAL_IP4_NETMASK

ver 4.0 8/30/20222

• Support multiple SA proposals for IKE and CHILD SA
• add TCP encap support RFC8229
• add support INVALID_KE notification for tunnel responder
• change EAP support for gateway to use EAP-start
• add force using UDP encap
• rewrite NAT detection related code
• now client reauth will wait for all IKE_SA deletion finish before start new dial
• many bug fixes

ver 3.0 03/09/2021

• Add myikev2 daemon & controller support, controller could create tests based on a user specified recipe on multiple machines or multiple name spaces on same machine; see documentation for details;
• Add support for IPsec transport mode
• Add support for RFC4754, IKE and IKEv2 Authentication Using the Elliptic Curve Digital Signature Algorithm (ECDSA)
• Add tunnel flapping, which keep flapping tunnels up and down, could be used for stress testing
• Add crash log file
• Enhance ping test
• varies other enhancements and bug fixes

ver 2.0 12/19/2019

• Add tunnel responder support (IPsec gateway); support all existing MyIKEv2 features
• Add ed25519 support
• Add unique EAP credential per tunnel support for eap-snoop mode
• Add auto generating ping src/dst address based on traffic selector
• refined log support, fixed out-of-order issue
• now allowing omit default config in ikeconf and pingconf
• add jitter for rekey
• add API/interactive-CLI for list and dump CHILD_SA
• fixed some rekey bugs
• Fixed many bugs, more efficient memory usage and better stability in large scale tests

ver 1.7 7/6/2019

• add gRPC based API support, see doc for detail
• add maxlossrate setting for built-in ping
• add psummary interactive command (show summary of ping results)
• fixed a bug of built-in ping

ver 1.6, 5/19/2019

• Add MOBIKE (RFC4555) , include fastpath support, see doc for detail
• Add built-in Ping test, see doc for detail
• Add “desc” setting in setup file

ver 1.52, 4/28/2019

• fixed a bug that cases issues on LAN-to-LAN tunnel’s fastpath

ver 1.51, 4/25/2019

• fixed a bug that causes fastpath stop working after CHILD_SA rekey

ver 1.5, 4/24/2019

• add IKEv2 fragmentation reassembly part, now the feature is completed
• EAP only auth (RFC5998)
• New crypto:
  • ChaCha20/Poly1305(RFC 7634), for both IKEv2 and fastpath
  • curve25519 (dhgrp 31)
• IKEv2 Repeated Authentication (RFC4478)
• add IKEv2 initial_contact support
• Some bug fixes

ver 1.4, 4/10/2019

• Now support 100K tunnels on a single socket 10 core Xeon CPU (E5-2650 v3), tested under following setup:
  • HyberThreading enabled
  • MyIKEv2 runs in a centos 7 VM (Qemu/KVM), with following resource allocated to VM:
    • 17 HT cores
    • 80G memory
    • A dual port 10GE NIC (Intel 82599ES) via PCI-Passthrough
  • Key MyIKEv2 Config:
    • auth: psk
    • crypto: aes-cbc-128 and sha1, DH Grp 14, PFS enabled
    • lifetime: IKE 30min, CHILD 15min (MyIKEv2 is the rekey initiator)
    • DPD: enabled, interval 30s
  • Memory Consumption:
    • After all tunnels created, memory Consumption is less than 56G
• Add in-memory logging; enabled via by setting “loginmem” to true in setup file; if enabled, MyIKEv2 will keep logging msg in memory util test finish, it then write logs into file
• Tunnel retry interval and max retry are now configurable via “tunnelretryinterval” and “tunnelmaxretry” in setup file; this is the time MyIKEv2 wait before retry if previous tunnel creation failed
• IKE request re-tranmission interval and max retry are now configurable via “retraninterval” and “maxretran” in setup file;
• Test result output has been enhanced, setup rate has been added, with option to use JSON format with “-j” command parameter
• adding first phase support of IKEv2 fragment (RFC7383), only fragmentation is supported in this release