Re: Using Keepalived on a WAN with Tunneling (keepalived-1.1.13, Kernel

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: Using Keepalived on a WAN with Tunneling (keepalived-1.1.13, Kernel 2.6.9-42.0.10.ELsmp)
From: Joseph Mack NA3T <jmack@xxxxxxxx>
Date: Tue, 22 May 2007 11:22:06 -0700 (PDT)
On Tue, 22 May 2007, Shaun Mccullagh wrote:

KL is in location A, RS1 in location B and RS2 in location C.

KL == client?, keepalived?

All these locations are geographically separate and all systems have
public IPs.

for production, for security, you don't want the anyone to access the realservers directly - use private IPs.

The problem is both Real Servers are running Windows 2003 Server.
Windows 2003 does not support IPIP encapsulation, Win2k used to.

However both Windows servers sit behind Linux Firewalls which do support
IPIP. So wondered if I could use the firewalls to decapsulate the IPIP
datagrams and the forward them to the RS.

I don't know how to do it, but Linux is supposed to be able to do this sort of thing. You're going to have to find an iptables master. Maybe someone on this list knows, but otherwise, you might have to join another mailing list for the answer. After decapsulation on the firewall, you'll have a packet with dest_addr==VIP in local_in and you'll have to forward it to the output chain.

I've succeeded in getting one tunnel operational. The KL healthchecker
is successfully executing a simple TCP check on Port 80 of RS1 every 20

The problem is the Linux firewall will not forward browser client
requests to RS1.

Tcpdump shows the requests are being delivered to tun0 on the firewall
connected to RS1:

14:50:42.225285 IP > IP > S 126909974:126909974(0) win 65535 <mss
1260,nop,nop,sackOK> (ipip-proto-4)

Note that is the KL VIP, is the firewall tunnel
address, is the KL tunnel address. I've added an IPTABLES
rule to DNAT all traffic sent to to RS1 (, this
works for the KL TCP check, but not for browser requests.

RS1 will need the VIP with the service listening on the VIP,

the firewall will need a route to the VIP (which is on RS1)

the firewall will need a rule on the firewall to forward packets with dest_addr=VIP to the output chain.

RS1 will reply to the client directly (presumably through the firewall, but the reply packet should traverse the firewall untouched by any rules).


Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at
Homepage It's GNU/Linux!

<Prev in Thread] Current Thread [Next in Thread>