[lvs-users] Load-balancing IPSec
khosrow.ebrahimpour at ssc-spc.gc.ca
Thu May 22 22:17:08 BST 2014
I noticed a couple of things, which are hopefully useful.
On 05/19/2014 10:27 AM, Bernd wrote:
> Hi List,
> I'm about to try something like this:
> +----------+ +------------------+
> /------ IPSec terminator 1 (10.0.100.100)
> Road warriors (Clients) <---> | internet | <---> | LVS (ldirectord) |
> +----------+ +-------(NAT)------+
> \------ IPSec terminator 2 (10.0.100.101)
> Read: Road warriors connect to a LVS machine (managed by ldirectord)
> which in turn forwards IPSec to backend (real) servers.
> Hence NAT is being used, only ESP may work (if at all), as NAT destroys
> AH. I'm using fwmarks, as it should be as transparent as possible.
> real=10.0.100.100 masq
> real=10.0.100.101 masq
> # checktype=connect
> # checkport=500
> iptables is configures accordingly:
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> MARK all -- 0.0.0.0/0 10.0.100.100 MARK set
> MARK all -- 0.0.0.0/0 10.0.100.101 MARK set
> # IPSec
> -A INPUT -p 50 -j ACCEPT
> -A INPUT -p 51 -j ACCEPT
> # IPSec/IKE
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT
If you're using NAT, I don't see a SNAT so that the real servers can
talk to the outside world. What is the output of the "iptables -L -t
> Usual stuff (net.ipv4.ip_forward = 1, net.ipv4.conf.eth0.arp_ignore = 1,
> net.ipv4.conf.eth0.arp_announce = 2) is also in place.
If you're doing NAT, why do you need the arp_ignore and arp_annouce? As
far as I know you only need that if you're doing LVS-DR.
> However, although ldirectord sees the terminators up and running,
> nothing happens when trying to initiate an IKE.
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> FWM 1 wlc
> -> 10.0.100.100:0 Masq 1 0 0
> -> 10.0.100.101:0 Masq 1 0 0
> Any idea what may be wrong here? I see packets coming in on the front
> door, but nothing happens after this.
> Is it even possible to "load balance" IPSec this way?
> Best regards,
More information about the lvs-users