LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: [lvs-users] Load-balancing IPSec

from [Khosrow Ebrahimpour] [Permanent Link]
To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: Re: [lvs-users] Load-balancing IPSec
From: Khosrow Ebrahimpour <khosrow.ebrahimpour@xxxxxxxxxxxxx>
Date: Thu, 22 May 2014 17:17:08 -0400 
Hi Bernd,

I noticed a couple of things, which are hopefully useful.

On 05/19/2014 10:27 AM, Bernd wrote:
> Hi List,
>
> I'm about to try something like this:
>
>                                 +----------+       +------------------+
>    /------ IPSec terminator 1 (10.0.100.100)
> Road warriors (Clients) <---> | internet | <---> | LVS (ldirectord) |
> ====
>                                 +----------+       +-------(NAT)------+
>    \------ IPSec terminator 2 (10.0.100.101)
>
> Read: Road warriors connect to a LVS machine (managed by ldirectord)
> which in turn forwards IPSec to backend (real) servers.
>
> Hence NAT is being used, only ESP may work (if at all), as NAT destroys
> AH. I'm using fwmarks, as it should be as transparent as possible.
>
> ldirectord.cf:
>
> virtual=1
>           real=10.0.100.100 masq
>           real=10.0.100.101 masq
>           service=none
>           scheduler=wlc
>           protocol=fwm
>           checktype=ping
>           # checktype=connect
>           # checkport=500
>
> iptables is configures accordingly:
>
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> MARK       all  --  0.0.0.0/0            10.0.100.100         MARK set
> 0x1
> MARK       all  --  0.0.0.0/0            10.0.100.101         MARK set
> 0x1
>
> and
>
> # IPSec
> -A INPUT -p 50 -j ACCEPT
> -A INPUT -p 51 -j ACCEPT
>
> # IPSec/IKE
> -A INPUT -p udp -m udp --dport 500 -j ACCEPT
> -A INPUT -p udp -m udp --dport 4500 -j ACCEPT

If you're using NAT, I don't see a SNAT so that the real servers can 
talk to the outside world. What is the output of the "iptables -L -t 
nat" command?

>
> Usual stuff (net.ipv4.ip_forward = 1, net.ipv4.conf.eth0.arp_ignore = 1,
> net.ipv4.conf.eth0.arp_announce = 2) is also in place.

If you're doing NAT, why do you need the arp_ignore and arp_annouce? As 
far as I know you only need that if you're doing LVS-DR.


>
> However, although ldirectord sees the terminators up and running,
> nothing happens when trying to initiate an IKE.
>
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
>     -> RemoteAddress:Port           Forward Weight ActiveConn InActConn
> FWM  1 wlc
>     -> 10.0.100.100:0                Masq    1      0          0
>     -> 10.0.100.101:0                Masq    1      0          0
>
> Any idea what may be wrong here? I see packets coming in on the front
> door, but nothing happens after this.
>
> Is it even possible to "load balance" IPSec this way?
>
> Best regards,
>
> Bernd
>
>

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [lvs-users] Direct routing not working on CentOS 6.5, Dennis Jacobfeuerborn
Next by Date:  [lvs-users] Slow IPVS performance under Centos 6.5, Bryan K. Wright
Previous by Thread:  Re: [lvs-users] Load-balancing IPSec, Bernd
Next by Thread:  [lvs-users] Direct routing not working on CentOS 6.5, Sal Munguia
Indexes:  [Date] [Thread] [Top] [All Lists]