Hi,
I've got a network with the following (slightly strained, and simplified)
configuration:
remote network, 10.0.5.0/24
|
| IPSEC tunnel
|
router, firewall, LVS 192.168.1.1, subnet 192.168.1.0/24
|
|
|
real server 192.168.1.7
Now my problem is that connections from the remote network to load balanced
ports on the VPN fail in a very weird way. Things that work are:
- telnet to 192.168.1.7 from inside the 192.168.1.0/24 network on any port
- telnet to 192.168.1.7 from the remote network on any port OTHER than the
load balanced ports
It all goes pear-shaped when you try to connect from the IPSEC machine
though. Now I don't know enough about how LVS+NAT works internally to
figure this out, so I was wondering if someone would be kind enough to
explain it to me, or point me at the relevant documents so I can figure it
out. I'm assuming that LVS is mangling the packets, thinking erroneously
that they are part of a load balanced connection. If there is anyway around
it that would be great, if not I'll simply assign an additional IP to the
real servers, and use that for my nefarious purposes.
The TCP dump weirdness kind of proves the point:
09:27:31.826109 10.0.5.10.2997 > 192.168.1.7.smtp: S
3861834395:3861834395(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:27:31.826491 10.0.5.10.2997 > 192.168.1.7.smtp: S
3861834395:3861834395(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:27:31.826679 192.168.1.7.smtp > 10.0.5.10.2997: S 685229547:685229547(0)
ack 3861834396 win 17520 <mss 1460,nop,nop,sackOK> (DF)
09:27:31.826840 192.168.1.1 > 192.168.1.7: icmp: 10.0.5.10 tcp port 2997
unreachable [tos 0xc0]
09:27:34.743906 10.0.5.10.2997 > 192.168.1.7.smtp: S
3861834395:3861834395(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:27:34.744282 10.0.5.10.2997 > 192.168.1.7.smtp: S
3861834395:3861834395(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:27:34.744439 192.168.1.7.smtp > 10.0.5.10.2997: . ack 1 win 17520 (DF)
09:27:34.744582 192.168.1.1 > 192.168.1.7: icmp: 10.0.5.10 tcp port 2997
unreachable [tos 0xc0]
09:27:35.043982 192.168.1.7.smtp > 10.0.5.10.2997: S 685229547:685229547(0)
ack 3861834396 win 17520 <mss 1460,nop,nop,sackOK> (DF)
09:27:35.044124 192.168.1.1 > 192.168.1.7: icmp: 10.0.5.10 tcp port 2997
unreachable [tos 0xc0]
09:27:40.743912 10.0.5.10.2997 > 192.168.1.7.smtp: S
3861834395:3861834395(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:27:40.744221 10.0.5.10.2997 > 192.168.1.7.smtp: S
3861834395:3861834395(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
09:27:40.744384 192.168.1.7.smtp > 10.0.5.10.2997: . ack 1 win 17520 (DF)
09:27:40.744530 192.168.1.1 > 192.168.1.7: icmp: 10.0.5.10 tcp port 2997
unreachable [tos 0xc0]
09:27:41.606466 192.168.1.7.smtp > 10.0.5.10.2997: S 685229547:685229547(0)
ack 3861834396 win 17520 <mss 1460,nop,nop,sackOK> (DF)
09:27:41.606595 192.168.1.1 > 192.168.1.7: icmp: 10.0.5.10 tcp port 2997
unreachable [tos 0xc0]
16 packets received by filter
0 packets dropped by kernel
(this is from a timed out telnet on port 25).
It starts off well enough, and then at some point the router starts sending
TCP port unreachable messages out, which is completely mystifying to me.
Thanks in advance,
Mark
|