Using Keepalived on a WAN with Tunneling (keepalived-1.1.13, Kernel 2.6.

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Using Keepalived on a WAN with Tunneling (keepalived-1.1.13, Kernel 2.6.9-42.0.10.ELsmp)
From: "Shaun Mccullagh" <Shaun.Mccullagh@xxxxx>
Date: Tue, 22 May 2007 15:11:51 +0200

First off many thanks to all those contribute to Keepalived, first class
open software!

For the first time I am attempting to use LVS in a WAN environment so
Load Balance two Web RealServers.

KL is in location A, RS1 in location B and RS2 in location C.

All these locations are geographically separate and all systems have
public IPs.

Having read the documentation it seems TUN is the appropriate choice for

The problem is both Real Servers are running Windows 2003 Server.
Windows 2003 does not support IPIP encapsulation, Win2k used to.

However both Windows servers sit behind Linux Firewalls which do support
IPIP. So wondered if I could use the firewalls to decapsulate the IPIP
datagrams and the forward them to the RS.

I've succeeded in getting one tunnel operational. The KL healthchecker
is successfully executing a simple TCP check on Port 80 of RS1 every 20

The problem is the Linux firewall will not forward browser client
requests to RS1. 

Tcpdump shows the requests are being delivered to tun0 on the firewall
connected to RS1:

14:50:42.225285 IP > IP > S 126909974:126909974(0) win 65535 <mss
1260,nop,nop,sackOK> (ipip-proto-4)

Note that is the KL VIP, is the firewall tunnel
address, is the KL tunnel address. I've added an IPTABLES
rule to DNAT all traffic sent to to RS1 (, this
works for the KL TCP check, but not for browser requests.

First question is: Can is use Linux Firewalls in this way?

Second question: If the answer to question one is yes how can I get the
firewall to forward the browser requests to RS1?



The firewall interfaces are configured as follows:

38: eth1.11: 
    inet scope global eth1.11

40: tunl0: <NOARP> mtu 1480 qdisc noop 
    link/ipip brd

42: tun0@NONE: <POINTOPOINT,NOARP,UP> mtu 1480 qdisc noqueue 
    link/ipip peer
    inet peer scope global tun0  

KL Network Interfaces look like this:

2: eth0: 
    inet brd scope global eth0
    inet scope global secondary eth0
3: eth1: 
    inet brd scope global eth1
    inet scope global secondary eth1
4: tunl0: <NOARP> mtu 1480 qdisc noop 
    link/ipip brd
5: tun0@NONE: <POINTOPOINT,NOARP,UP> mtu 1480 qdisc noqueue 
    link/ipip peer
    inet peer scope global tun0

KL config:

vrrp_instance VI_0 {
        state MASTER         
        interface eth0
        track_interface {
        virtual_router_id 3
        priority 150            
        advert_int 10
        authentication {                
                auth_type PASS            
                auth_pass XXXX       
        virtual_ipaddress {  
       dev eth1
        virtual_ipaddress_excluded {  
       dev eth0

virtual_server 80 {      
    delay_loop 20
    lb_algo wlc
    lb_kind TUN
    persistence_timeout 86400
    protocol TCP                        
   real_server 80 {  
       weight 1
       TCP_CHECK {
          connect_port 80
          connect_timeout 20

Op dit e-mailbericht is een disclaimer van toepassing, welke te vinden is op

<Prev in Thread] Current Thread [Next in Thread>