[nycbug-talk] L2TP/IPSec VPN Stress Testing

Peter Wright pete at nomadlogic.org
Wed Feb 14 11:59:39 EST 2007

> Greetings Everyone,
> I need to perform VPN stress testing on a Cisco ASA setup
> we have here in the ThruPoint lab.  Our requirements are
> that the setup should handle about 1000 simultaneous connections.
> I've looked around for VPN stress testing options and there
> just don't seem to be that many that are, ahem, reasonably priced.
> (Ixia 250 new: over $100K, and leasing is 15% list/month- 3 month min.)
> Further detail:  We are using MS L2TP/IPSec for the client,
> so whatever I use has to be able to generate L2TP/IPSec
> sessions.  To get started we'll use preshared keys.  We'll test
> certs later.
> Clients are Microsoft XP using the Microsoft L2TP/IPSec client.
> So, I'm really trying to emulate 1000 Win XP L2TP/IPSec users
> connecting at the same time.
> I do have about 50 PCs (maybe even more) I can throw at this thing,
> so I just need to figure out how to get 50 PCs to generate L2TP/IPSec
> connections.
> Is there a BSD solution I can use here?
> All ideas welcomed!
Best Regards,
> Jim B.

not really a BSD solution but would it be possible to use something like
VMware server (which is free) on the PC's to get close to the number of
clients you want (10 xp instances per PC * 50 pc's = 500 connections).  it
may not be quick, or even feasible - but with a little batch scripting you
could be able to generate the traffic you'd expect to see.  vmware server
does allow you to do snapshot's of your instance - so theoretically you
could clone a snapshot of a configured XP host which may save some time on
the front end.

also, not sure what type of gear you have available - but i did some work
with NetApp iSCSI LUN cloning to produce a pretty similar environment as
well.  create a VM instance, clone the lun and export that image to
another VM.  NetApp's do some tricks where cloned images will share as
much common data as possible, allocating new blocks as needed when the
clones start to differ (i.e. /bin may use the same blocks accross multiple
LUN's, but /var/tmp would differ).

anywho, this sounds like a fun project ;)


Peter Wright
pete at nomadlogic.org

