[lvs-users] ipsec + lvs-nat not working

Sebastien COUPPEY sebastien.couppey at zero9.it
Wed Oct 22 10:24:11 BST 2008


On Tue, Oct 21, 2008 at 05:46:51PM -0700, Joseph Mack NA3T wrote:
> On Tue, 21 Oct 2008, Sebastien COUPPEY wrote:
> 
> >
> > yes this is true, I use a iptables rule, but only have a N-1-1rs connection.
> 
> without knowing what the rule is (or what an N-1-1rs is), 

N client - 1 server - 1 server
a tipical iptable DNAT rule.

But with such way you bypass ipvs.

> this isn't much help. Don't have any iptables rules till 
> your lvs is working
> 
> Your ipsec connection terminates at the VIP on the director, 
> not the realservers?

yes the tunnel terminates at the VIP on the director.
The real server is on a  normal network.

With the firewall down,
Attached is a tcpdump, where :
10.44.0.254 is the client
10.4.0.30 is the VIP on the director net interface
10.0.1.60 is the realserver

We can see that packets arrive back on the director, are correctly
rewritten and sent back to the client 10.44.0.254. However the client
never receive the packet.

10.4.0.30.http > 10.44.0.254

I was wondering if the "brownfield" patch or NFCT patch described in
the LVS-HOWTO.LVS-NAT.html documentation was included in the 2.6.18
kernel. 
ipvsadm v1.24 2003/06/07 (compiled with getopt_long and IPVS v1.2.0)

Again thanks for advices.
-------------- next part --------------
# tcpdump -i any -n host 10.44.0.254

11:09:13.936162 IP 10.44.0.254.invision-ag > 10.4.0.30.http: S 222215520:222215520(0) win 5840 <mss 1460,sackOK,timestamp 4099112295 0,nop,wscale 5>
11:09:13.936231 IP 10.44.0.254.invision-ag > 10.0.1.60.http: S 222215520:222215520(0) win 5840 <mss 1460,sackOK,timestamp 4099112295 0,nop,wscale 5>
11:09:13.936247 IP 10.44.0.254.invision-ag > 10.0.1.60.http: S 222215520:222215520(0) win 5840 <mss 1460,sackOK,timestamp 4099112295 0,nop,wscale 5>
11:09:13.936238 IP 10.0.1.60.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695679753 4099112295,nop,wscale 7>
11:09:13.936248 IP 10.4.0.30.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695679753 4099112295,nop,wscale 7>
11:09:16.936412 IP 10.44.0.254.invision-ag > 10.4.0.30.http: S 222215520:222215520(0) win 5840 <mss 1460,sackOK,timestamp 4099115295 0,nop,wscale 5>
11:09:16.936445 IP 10.44.0.254.invision-ag > 10.0.1.60.http: S 222215520:222215520(0) win 5840 <mss 1460,sackOK,timestamp 4099115295 0,nop,wscale 5>
11:09:16.936448 IP 10.44.0.254.invision-ag > 10.0.1.60.http: S 222215520:222215520(0) win 5840 <mss 1460,sackOK,timestamp 4099115295 0,nop,wscale 5>
11:09:16.936553 IP 10.0.1.60.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695682754 4099112295,nop,wscale 7>
11:09:16.936562 IP 10.4.0.30.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695682754 4099112295,nop,wscale 7>
11:09:18.192492 IP 10.0.1.60.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695684010 4099112295,nop,wscale 7>
11:09:18.192502 IP 10.4.0.30.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695684010 4099112295,nop,wscale 7>
11:09:22.936522 IP 10.44.0.254.invision-ag > 10.4.0.30.http: S 222215520:222215520(0) win 5840 <mss 1460,sackOK,timestamp 4099121295 0,nop,wscale 5>
11:09:22.936552 IP 10.44.0.254.invision-ag > 10.0.1.60.http: S 222215520:222215520(0) win 5840 <mss 1460,sackOK,timestamp 4099121295 0,nop,wscale 5>
11:09:22.936554 IP 10.44.0.254.invision-ag > 10.0.1.60.http: S 222215520:222215520(0) win 5840 <mss 1460,sackOK,timestamp 4099121295 0,nop,wscale 5>
11:09:22.936654 IP 10.0.1.60.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695688754 4099112295,nop,wscale 7>
11:09:22.936663 IP 10.4.0.30.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695688754 4099112295,nop,wscale 7>
11:09:24.392666 IP 10.0.1.60.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695690210 4099112295,nop,wscale 7>
11:09:24.392676 IP 10.4.0.30.http > 10.44.0.254.invision-ag: S 108642860:108642860(0) ack 222215521 win 5792 <mss 1460,sackOK,timestamp 3695690210 4099112295,nop,wscale 7>


More information about the lvs-users mailing list