ipvs with ipsec
Farid Sarwari
fsarwari at exchangesolutions.com
Tue Jul 25 18:38:09 BST 2006
Hi all,
I'm having some issues with IPVS and IPSec. When a HTTP client requests
a page, I can see the traffic come all the way to the webserver
(ws1,ws2). However, the return traffic gets to the load balancer but
does not make it through the ipsec tunnel. When doing a tcpdump I can
see that the packets get SNATed by ipvs. I know there is a problem with
ipsec2.6 and SNAT, and I've upgraded my kernel and iptables so now SNAT
with iptables works. But it looks like ipvs is doing its own SNAT which
doesn't pass through the ipsec tunnel.
Is there a way to tell ipvs not to do snat and let iptables take care of
the SNAT? If not, what's the best work around for this issue?
My setup:
HTTP Clients
-------
|
\ -- Ipsec tunnel
/
|
+------------+
|LoadBalancer|
| ipsec2.6 |
| ipvs |
+------------+
|
/\
/ \
/ \
+-----+ +-----+
| ws1 | | ws2 |
+-----+ +-----+
Ldirector.conf:
virtual=x.x.x.x:80 #<public ip>
real=y.y.y.1:80 masq
real=y.y.y.2:80 masq
checktype=negotiate
fallback=127.0.0.1:80 masq
service=http
request="/"
receive=" "
scheduler=wlc
protocol=tcp
------------------
ipvsadm -ln output:
P Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP x.x.x.x:80 wlc
-> y.y.y.1:80 Masq 1 0 0
-> y.y.y.1:80 Masq 1 0 0
------------------
Software Version #s:
ipvsadm v1.24 2003/06/07 (compiled with popt and IPVS v1.2.0)
Linux Kernel 2.6.16
iptables v1.3.5
ldirectord version 1.131
Search lvs-users Archives
More information about the lvs-users
mailing list