|
Hello Julian,
May be it is possible by adding ESP support to LVS
to define fwmark-based persistent virtual service that can
forward ISAKMP and ESP to the right VPN gateway, all in LVS-DR
mode? May be even AH can work with LVS-DR? One client goes
only to one real server. I hope the ESP protocol is not difficult
to add in LVS. Any thoughts from the IPSec gurus on this list? :)
I'm not a IPsec guru, but how do you intend to mark the descrambled ESP
packet and redirect it into the LVS code path? I mean as a start we
(you) could do ESP support only which would work for LVS-DR and LVS-NAT.
I don't know if you can dequeue from a ipsec0 device? It's just a
secondary IP IMHO. Check out [1] and Cisco's explanation on ESP and NAT
at [2]. And before you implement it, you should read [3] and [4] :)
/me ducks and runs like hell now!
[1] http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/12/\
msg00006.html
[2] http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html
[3] http://www.cis.ohio-state.edu/cs/Services/rfc/rfc-text/rfc2709.txt
[4] http://search.ietf.org/internet-drafts/draft-aboba-nat-ipsec-04.txt
Cheers,
Roberto Nibali, ratz
|
