[lvs-users] ipsec + lvs-nat not working

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	[lvs-users] ipsec + lvs-nat not working
From:	Sebastien COUPPEY <sebastien.couppey@xxxxxxxx>
Date:	Thu, 16 Oct 2008 12:42:06 +0200

Hello,

I am facing a problem with ipsec+lvs-nat on the same server.

I looks strange to me that the cohabitation is not working.
 

client : 10.44.0.254
 |
gw ipsec
 |
... internet
 |
gw ipsec
+
lvs-NAT
 |
Real server 10.0.1.60


the vip is on the loopback interface.

virtual=10.4.0.30:80
        real=10.0.1.60:80 masq
        real=10.0.1.61:80 masq
        service=http
        protocol=tcp
        checktype=on


Here are some tcpdump performed on any interfaces of the server
(ipsecOpenswan + lvs-nat):

11:38:21.960702 IP 10.44.0.254.37580 > 10.4.0.30.http: S 139580667:139580667(0) 
win 5840 <mss 1460,sackOK,timestamp 3582473920 0,nop,wscale 5>
11:38:21.960748 IP 10.44.0.254.37580 > 10.0.1.60.http: S 139580667:139580667(0) 
win 5840 <mss 1460,sackOK,timestamp 3582473920 0,nop,wscale 5>
11:38:21.960759 IP 10.44.0.254.37580 > 10.0.1.60.http: S 139580667:139580667(0) 
win 5840 <mss 1460,sackOK,timestamp 3582473920 0,nop,wscale 5>
11:38:21.960782 IP 10.0.1.60.http > 10.44.0.254.37580: S 18321862:18321862(0) 
ack 139580668 win 5792 <mss 1460,sackOK,timestamp 3179041601 
3582473920,nop,wscale 7> 
11:38:24.960697 IP 10.44.0.254.37580 > 10.4.0.30.http: S 139580667:139580667(0) 
win 5840 <mss 1460,sackOK,timestam  35824769200,nop,wscale 5>
11:38:24.960729 IP 10.44.0.254.37580 > 10.0.1.60.http: S 139580667:139580667(0) 
win 5840 <mss 1460,sackOK,timestamp 3582476920 0,nop,wscale 5>
11:38:24.960731 IP 10.44.0.254.37580 > 10.0.1.60.http: S 139580667:139580667(0) 
win 5840 <mss 1460,sackOK,timestamp 3582476920 0,nop,wscale 5>
11:38:24.960830 IP 10.0.1.60.http > 10.44.0.254.37580: S 18321862:18321862(0) 
ack 139580668 win 5792 <mss 1460,sackOK,timestamp 3179044601 
3582473920,nop,wscale 7>
11:38:25.938946 IP 10.0.1.60.http > 10.44.0.254.37580: S 18321862:18321862(0) 
ack 139580668 win 5792 <mss 1460,sackOK,timestamp 3179045580 
3582473920,nop,wscale 7>


The only error I see is : 

11:41:36.206761 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, 
length 68
11:41:36.206768 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, 
length 68
11:41:36.206773 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, 
length 68


However I can ping the client from the Server :

# ping -I 10.4.0.30 10.44.0.254
PING 10.44.0.254 (10.44.0.254) from 10.4.0.30 : 56(84) bytes of data.
64 bytes from 10.44.0.254: icmp_seq=1 ttl=63 time=37.7 ms
64 bytes from 10.44.0.254: icmp_seq=2 ttl=63 time=36.7 ms

So I don't see my missing point.

Does someone realized such architecture ?

Thanks a lot for any tips.

<Prev in Thread]	Current Thread	[Next in Thread>
[lvs-users] ipsec + lvs-nat not working, Sebastien COUPPEY <= Re: [lvs-users] ipsec + lvs-nat not working, Joseph Mack NA3T Re: [lvs-users] ipsec + lvs-nat not working, Thomas Pedoussaut Re: [lvs-users] ipsec + lvs-nat not working, Sebastien COUPPEY Re: [lvs-users] ipsec + lvs-nat not working, Sebastien COUPPEY Re: [lvs-users] ipsec + lvs-nat not working, Joseph Mack NA3T Re: [lvs-users] ipsec + lvs-nat not working, Sebastien COUPPEY Re: [lvs-users] ipsec + lvs-nat not working, Joseph Mack NA3T Re: [lvs-users] ipsec + lvs-nat not working, kwijibo Re: [lvs-users] ipsec + lvs-nat not working, Joseph Mack NA3T Re: [lvs-users] ipsec + lvs-nat not working, Sebastien COUPPEY

Previous by Date:	Re: [lvs-users] RX Packet drops on high traffic LVS in DR setup, Sashi Kant
Next by Date:	Re: [lvs-users] ipsec + lvs-nat not working, Joseph Mack NA3T
Previous by Thread:	[lvs-users] Question regarding LVS/DR setup, Erik Weber
Next by Thread:	Re: [lvs-users] ipsec + lvs-nat not working, Joseph Mack NA3T
Indexes:	[Date] [Thread] [Top] [All Lists]