I have been looking around for an answer to see if LVS-DR would work with
load
balancing VPN (IPSec and PPTP; so UDP 500 and TCP 1723) and connection has
to
persist (after client is connected to the server route can't be load
balanced to
another server). I haven't found any definitive answer for this setup and I
hope
someone can tell me which method to use and maybe potential issues I may
face.
I was hoping I could use LVS-DR although initial setup didn't work so I am
not
sure if it's possible.
<Client> ---> <Director>
|
<VPN1>..<VPN2>
|
<Proxy>
Note: traffic goes from proxy to VPN then to client currently so it
shouldn't
make a difference for LVS-DR but just in case it cause issue for routing
traffic
since right now I am using policy based routing to move http to proxy not
sure
if that will break now. Above setup is currently working without load
balancing.
Everything is in Amazon's VPC (hopefully not an issue).
First of all I didn't see any sample configuration for VPN IPSec so I use
service=none (is that ok?).
ldirectord.cf
VIP=<public facing IP>
RS1=<VPN server>
checktimeout=10
checkinterval=2
autoreload=no
logfile="local0"
quiescent=no
virtual=VIP:500
real=RS1:500 gate
service=none
scheduler=rr
persistent=600
protocol=udp
request="director.html"
receive="I'am alive!"
checktype=negotiate
ipvsadm -C
ipvsadm -A -u $VIP:500 -p 3600 -s wrr
ipvsadm -a -u $VIP:500 -r $RS1 -g -w 1
sysctl on director:
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
sysctl on VPN (took some from HOWTO)
net.ipv4.conf.default.rp_filter = 1 (enabled only because of accept_local)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.all.accept_local = 1
I read that ip alias won't work anymore (although I created them
successfully
anyways, ubuntu 13). I also added route to VIP via "ip route add"
Added alias on director:
auto eth0:0
iface eth0:0 inet static
address <VIP>
netmask 255.255.255.248
network 10.0.0.0
gateway 10.0.0.1
broadcast 10.0.0.255
Added alias on VPN:
auto lo:0
iface lo:0 inet static
address <VIP>
netmask 255.255.255.255
pre-up sysctl -p > /dev/null
no iptables rule on director. Some rule on VPN but nothing that rejects
traffic
(one MASQUERADE for 0.0.0.0/0, mark port 80 traffic for routing to proxy).
I see this in the VPN side:
DIP = director's IP (in my case private IP for the server)
<director's MAC> <VPN's MAC>, IPv4, length 590: <DIP> > <VPN private IP>:
ICMP
<DIP> udp port 500 unreachable, length 556
In VPN's syslog I see
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
I assume that is causing the connection to fail. From client it says "VPN
server
did not response". There is no log in VPN server so no connection was
initiated
yet (fails before that) but UDP 500 does get to VPN server (maybe got
dropped;
if disable rp_filter=0 accept_local-1 won't take effect; seems I need
another
way to get around martian problem?).
Thanks,
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
load
balancing VPN (IPSec and PPTP; so UDP 500 and TCP 1723) and connection has
to
persist (after client is connected to the server route can't be load
balanced to
another server). I haven't found any definitive answer for this setup and I
hope
someone can tell me which method to use and maybe potential issues I may
face.
I was hoping I could use LVS-DR although initial setup didn't work so I am
not
sure if it's possible.
<Client> ---> <Director>
|
<VPN1>..<VPN2>
|
<Proxy>
Note: traffic goes from proxy to VPN then to client currently so it
shouldn't
make a difference for LVS-DR but just in case it cause issue for routing
traffic
since right now I am using policy based routing to move http to proxy not
sure
if that will break now. Above setup is currently working without load
balancing.
Everything is in Amazon's VPC (hopefully not an issue).
First of all I didn't see any sample configuration for VPN IPSec so I use
service=none (is that ok?).
ldirectord.cf
VIP=<public facing IP>
RS1=<VPN server>
checktimeout=10
checkinterval=2
autoreload=no
logfile="local0"
quiescent=no
virtual=VIP:500
real=RS1:500 gate
service=none
scheduler=rr
persistent=600
protocol=udp
request="director.html"
receive="I'am alive!"
checktype=negotiate
ipvsadm -C
ipvsadm -A -u $VIP:500 -p 3600 -s wrr
ipvsadm -a -u $VIP:500 -r $RS1 -g -w 1
sysctl on director:
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0
sysctl on VPN (took some from HOWTO)
net.ipv4.conf.default.rp_filter = 1 (enabled only because of accept_local)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
net.ipv4.conf.all.accept_local = 1
I read that ip alias won't work anymore (although I created them
successfully
anyways, ubuntu 13). I also added route to VIP via "ip route add"
Added alias on director:
auto eth0:0
iface eth0:0 inet static
address <VIP>
netmask 255.255.255.248
network 10.0.0.0
gateway 10.0.0.1
broadcast 10.0.0.255
Added alias on VPN:
auto lo:0
iface lo:0 inet static
address <VIP>
netmask 255.255.255.255
pre-up sysctl -p > /dev/null
no iptables rule on director. Some rule on VPN but nothing that rejects
traffic
(one MASQUERADE for 0.0.0.0/0, mark port 80 traffic for routing to proxy).
I see this in the VPN side:
DIP = director's IP (in my case private IP for the server)
<director's MAC> <VPN's MAC>, IPv4, length 590: <DIP> > <VPN private IP>:
ICMP
<DIP> udp port 500 unreachable, length 556
In VPN's syslog I see
device eth0 entered promiscuous mode
device eth0 left promiscuous mode
I assume that is causing the connection to fail. From client it says "VPN
server
did not response". There is no log in VPN server so no connection was
initiated
yet (fails before that) but UDP 500 does get to VPN server (maybe got
dropped;
if disable rp_filter=0 accept_local-1 won't take effect; seems I need
another
way to get around martian problem?).
Thanks,
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users