|
Do you mean cluster of VPN gateways behind LVS
router, LVS schedules the VPN clients to different
VPN gateways/servers?
Yes, exactly - sorry, that it wasn't really clear.
I just 'stole' the picture from Axel Kuester and modified it to my needs.
'target' subnets
|
+------------------+
| Director A |
+------------------+
| |
+--------------+ +--------------+
| Real Server | | Real Server |
| IPsec term. | | IPsec term. |
+--------------+ +--------------+
| |
+------------------+
| Director B |
+------------------+
|
insecure connection e.g. Internet
|
+-----+------+
| |
+--------------+ +--------------+
| IPSec term. | | IPSec term. |
+--------------+ +--------------+
| |
+--------------+ +--------------+
| many Subnets | | many Subnets |
+--------------+ +--------------+
I want to make it possible to have a secure connection from the 'many
Subnets' to the 'target subnets'.
Maybe one Director is enough, but I liked the approach with one Director
for each direction.
> If yes, may be such setup will need a VPN
Masquerade software (ISAKMP+ESP) for NAT?
I'm not sure, what you're talking about. Sorry. Where do you think the
NAT could be?
May be it is possible by adding ESP support to LVS
to define fwmark-based persistent virtual service that can
forward ISAKMP and ESP to the right VPN gateway, all in LVS-DR
mode? May be even AH can work with LVS-DR? One client goes
only to one real server. I hope the ESP protocol is not difficult
to add in LVS. Any thoughts from the IPSec gurus on this list? :)
Sounds like the direction I think of... Maybe Connection persistence is
way too much - because each 'IPSEC term.' will support only one tunnel.
Would it be possible to do an IP based sheduling?
How exactly you want LVS and Freeswan to cooperate?
is the picture enough information?
Henrik.
| 