LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

[lvs-users] LVS-DR and IPSec

To: lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject: [lvs-users] LVS-DR and IPSec
From: WorkingMan <signup_mail2002@xxxxxxxxx>
Date: Mon, 18 Nov 2013 21:52:03 +0000 (UTC)
I have been looking around for an answer to see if LVS-DR would work with  
load 
balancing VPN (IPSec and PPTP; so UDP 500 and TCP 1723) and connection has 
to 
persist (after client is connected to the server route can't be load 
balanced to 
another server). I haven't found any definitive answer for this setup and I 
hope 
someone can tell me which method to use and maybe potential issues I may 
face.

I was hoping I could use LVS-DR although initial setup didn't work so I am 
not 
sure if it's possible.

<Client> ---> <Director> 
                   |
             <VPN1>..<VPN2>
                  |
               <Proxy>

Note: traffic goes from proxy to VPN then to client currently so it 
shouldn't 
make a difference for LVS-DR but just in case it cause issue for routing 
traffic 
since right now I am using policy based routing to move http to proxy not 
sure 
if that will break now. Above setup is currently working without load 
balancing. 
Everything is in Amazon's VPC (hopefully not an issue).

First of all I didn't see any sample configuration for VPN IPSec so I use 
service=none (is that ok?).

ldirectord.cf

VIP=<public facing IP>
RS1=<VPN server>

checktimeout=10
checkinterval=2
autoreload=no
logfile="local0"
quiescent=no
virtual=VIP:500
        real=RS1:500 gate
        service=none
        scheduler=rr
        persistent=600
        protocol=udp
        request="director.html"
        receive="I'am alive!"
        checktype=negotiate

ipvsadm -C
ipvsadm -A -u $VIP:500 -p 3600 -s wrr
ipvsadm -a -u $VIP:500 -r $RS1 -g -w 1


sysctl on director:
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0

sysctl on VPN (took some from HOWTO)
net.ipv4.conf.default.rp_filter = 1 (enabled only because of accept_local)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.all.accept_local = 1

I read that ip alias won't work anymore (although I created them 
successfully 
anyways, ubuntu 13). I also added route to VIP via "ip route add"

Added alias on director:

auto eth0:0
iface eth0:0 inet static
        address <VIP>
        netmask 255.255.255.248
        network 10.0.0.0
        gateway 10.0.0.1
        broadcast 10.0.0.255

Added alias on VPN:

auto lo:0
iface lo:0 inet static
    address <VIP>
    netmask 255.255.255.255
    pre-up sysctl -p > /dev/null

no iptables rule on director. Some rule on VPN but nothing that rejects 
traffic 
(one MASQUERADE for 0.0.0.0/0, mark port 80 traffic for routing to proxy).

I see this in the VPN side:

DIP = director's IP (in my case private IP for the server)

<director's MAC> <VPN's MAC>, IPv4, length 590: <DIP> > <VPN private IP>: 
ICMP 
<DIP> udp port 500 unreachable, length 556

In VPN's syslog I see  
device eth0 entered promiscuous mode
device eth0 left promiscuous mode

I assume that is causing the connection to fail. From client it says "VPN 
server 
did not response". There is no log in VPN server so no connection was 
initiated 
yet (fails before that) but UDP 500 does get to VPN server (maybe got 
dropped; 
if disable rp_filter=0 accept_local-1 won't take effect; seems I need 
another 
way to get around martian problem?).

Thanks,


_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread] Current Thread [Next in Thread>