[lvs-users] ipsec + lvs-nat not working

Sebastien COUPPEY sebastien.couppey at zero9.it
Thu Oct 16 11:42:06 BST 2008


Hello,

I am facing a problem with ipsec+lvs-nat on the same server.

I looks strange to me that the cohabitation is not working.
 

client : 10.44.0.254
 |
gw ipsec
 |
... internet
 |
gw ipsec
+
lvs-NAT
 |
Real server 10.0.1.60


the vip is on the loopback interface.

virtual=10.4.0.30:80
        real=10.0.1.60:80 masq
        real=10.0.1.61:80 masq
        service=http
        protocol=tcp
        checktype=on


Here are some tcpdump performed on any interfaces of the server
(ipsecOpenswan + lvs-nat):

11:38:21.960702 IP 10.44.0.254.37580 > 10.4.0.30.http: S 139580667:139580667(0) win 5840 <mss 1460,sackOK,timestamp 3582473920 0,nop,wscale 5>
11:38:21.960748 IP 10.44.0.254.37580 > 10.0.1.60.http: S 139580667:139580667(0) win 5840 <mss 1460,sackOK,timestamp 3582473920 0,nop,wscale 5>
11:38:21.960759 IP 10.44.0.254.37580 > 10.0.1.60.http: S 139580667:139580667(0) win 5840 <mss 1460,sackOK,timestamp 3582473920 0,nop,wscale 5>
11:38:21.960782 IP 10.0.1.60.http > 10.44.0.254.37580: S 18321862:18321862(0) ack 139580668 win 5792 <mss 1460,sackOK,timestamp 3179041601 3582473920,nop,wscale 7> 
11:38:24.960697 IP 10.44.0.254.37580 > 10.4.0.30.http: S 139580667:139580667(0) win 5840 <mss 1460,sackOK,timestam  35824769200,nop,wscale 5>
11:38:24.960729 IP 10.44.0.254.37580 > 10.0.1.60.http: S 139580667:139580667(0) win 5840 <mss 1460,sackOK,timestamp 3582476920 0,nop,wscale 5>
11:38:24.960731 IP 10.44.0.254.37580 > 10.0.1.60.http: S 139580667:139580667(0) win 5840 <mss 1460,sackOK,timestamp 3582476920 0,nop,wscale 5>
11:38:24.960830 IP 10.0.1.60.http > 10.44.0.254.37580: S 18321862:18321862(0) ack 139580668 win 5792 <mss 1460,sackOK,timestamp 3179044601 3582473920,nop,wscale 7>
11:38:25.938946 IP 10.0.1.60.http > 10.44.0.254.37580: S 18321862:18321862(0) ack 139580668 win 5792 <mss 1460,sackOK,timestamp 3179045580 3582473920,nop,wscale 7>


The only error I see is : 

11:41:36.206761 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, length 68
11:41:36.206768 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, length 68
11:41:36.206773 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, length 68


However I can ping the client from the Server :

# ping -I 10.4.0.30 10.44.0.254
PING 10.44.0.254 (10.44.0.254) from 10.4.0.30 : 56(84) bytes of data.
64 bytes from 10.44.0.254: icmp_seq=1 ttl=63 time=37.7 ms
64 bytes from 10.44.0.254: icmp_seq=2 ttl=63 time=36.7 ms

So I don't see my missing point.

Does someone realized such architecture ?

Thanks a lot for any tips.






More information about the lvs-users mailing list