LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

ipvs with ipsec

To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: ipvs with ipsec
From: "Farid Sarwari" <fsarwari@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 25 Jul 2006 13:38:09 -0400
Hi all,

I'm having some issues with IPVS and IPSec. When a HTTP client requests
a page, I can see the traffic come all the way to the webserver
(ws1,ws2). However, the return traffic gets to the load balancer but
does not make it through the ipsec tunnel. When doing a tcpdump I can
see that the packets get SNATed by ipvs. I know there is a problem with
ipsec2.6 and SNAT, and I've upgraded my kernel and iptables so now SNAT
with iptables works. But it looks like ipvs is doing its own SNAT which
doesn't pass through the ipsec tunnel.  

Is there a way to tell ipvs not to do snat and let iptables take care of
the SNAT? If not, what's the best work around for this issue?


My setup:


                      HTTP Clients
                       -------
                         |
                          \ -- Ipsec tunnel
                          /
                         |            
                  +------------+
                  |LoadBalancer|
                  |  ipsec2.6  |  
                  |   ipvs     |
                  +------------+
                         |
                        /\
                       /  \
                      /    \
                 +-----+  +-----+
                 | ws1 |  | ws2 |
                 +-----+  +-----+


Ldirector.conf:
virtual=x.x.x.x:80 #<public ip>
        real=y.y.y.1:80 masq
        real=y.y.y.2:80 masq
        checktype=negotiate
        fallback=127.0.0.1:80 masq
        service=http
        request="/"
        receive=" "
        scheduler=wlc
        protocol=tcp

------------------

ipvsadm -ln output:
P Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
  -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
TCP  x.x.x.x:80 wlc
  -> y.y.y.1:80            Masq    1      0          0
  -> y.y.y.1:80            Masq    1      0          0

------------------

Software Version #s:
ipvsadm v1.24 2003/06/07 (compiled with popt and IPVS v1.2.0)
Linux Kernel 2.6.16
iptables v1.3.5
ldirectord  version 1.131


<Prev in Thread] Current Thread [Next in Thread>