ipvs with ipsec

[Farid Sarwari]

I do have multiple VPN links so this might be an issue. I'm going to try
the patch from the link you provided.

Thanks Joseph.

-----Original Message-----
From: lvs-users-bounces at LinuxVirtualServer.org
[mailto:lvs-users-bounces at LinuxVirtualServer.org] On Behalf Of Joseph
Mack NA3T
Sent: Tuesday, July 25, 2006 8:18 PM
To: LinuxVirtualServer.org users mailing list.
Subject: Re: ipvs with ipsec

On Tue, 25 Jul 2006, Farid Sarwari wrote:

> Hi all,
>
> I'm having some issues with IPVS and IPSec. When a HTTP 
> client requests a page, I can see the traffic come all the 
> way to the webserver (ws1,ws2). However, the return 
> traffic gets to the load balancer but does not make it 
> through the ipsec tunnel. When doing a tcpdump I can see 
> that the packets get SNATed by ipvs.

required for LVS-NAT to work.

> I know there is a problem with ipsec2.6 and SNAT, and I've 
> upgraded my kernel and iptables so now SNAT with iptables 
> works. But it looks like ipvs is doing its own SNAT which 
> doesn't pass through the ipsec tunnel.

there are routing problems with LVS-NAT

http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html#brow
nfield

(a version of ipvs with this patch has not been released)

do you think this might be affecting you?

> Is there a way to tell ipvs not to do snat and let 
> iptables take care of the SNAT?

no.

I last played around with ipv6 about 6 years ago and 
installed it just for fun and then forgot about it.
I didn't realise you could do IPSec with ipv4.

Joe

-- 
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml 
Homepage http://www.austintek.com/ It's GNU/Linux!
_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users at LinuxVirtualServer.org
Send requests to lvs-users-request at LinuxVirtualServer.org
or go to http://www.in-addr.de/mailman/listinfo/lvs-users