Hi List,
I'm about to try something like this:
+----------+ +------------------+
/------ IPSec terminator 1 (10.0.100.100)
Road warriors (Clients) <---> | internet | <---> | LVS (ldirectord) |
====
+----------+ +-------(NAT)------+
\------ IPSec terminator 2 (10.0.100.101)
Read: Road warriors connect to a LVS machine (managed by ldirectord)
which in turn forwards IPSec to backend (real) servers.
Hence NAT is being used, only ESP may work (if at all), as NAT destroys
AH. I'm using fwmarks, as it should be as transparent as possible.
ldirectord.cf:
virtual=1
real=10.0.100.100 masq
real=10.0.100.101 masq
service=none
scheduler=wlc
protocol=fwm
checktype=ping
# checktype=connect
# checkport=500
iptables is configures accordingly:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- 0.0.0.0/0 10.0.100.100 MARK set
0x1
MARK all -- 0.0.0.0/0 10.0.100.101 MARK set
0x1
and
# IPSec
-A INPUT -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
# IPSec/IKE
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
Usual stuff (net.ipv4.ip_forward = 1, net.ipv4.conf.eth0.arp_ignore = 1,
net.ipv4.conf.eth0.arp_announce = 2) is also in place.
However, although ldirectord sees the terminators up and running,
nothing happens when trying to initiate an IKE.
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 1 wlc
-> 10.0.100.100:0 Masq 1 0 0
-> 10.0.100.101:0 Masq 1 0 0
Any idea what may be wrong here? I see packets coming in on the front
door, but nothing happens after this.
Is it even possible to "load balance" IPSec this way?
Best regards,
Bernd
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users
I'm about to try something like this:
+----------+ +------------------+
/------ IPSec terminator 1 (10.0.100.100)
Road warriors (Clients) <---> | internet | <---> | LVS (ldirectord) |
====
+----------+ +-------(NAT)------+
\------ IPSec terminator 2 (10.0.100.101)
Read: Road warriors connect to a LVS machine (managed by ldirectord)
which in turn forwards IPSec to backend (real) servers.
Hence NAT is being used, only ESP may work (if at all), as NAT destroys
AH. I'm using fwmarks, as it should be as transparent as possible.
ldirectord.cf:
virtual=1
real=10.0.100.100 masq
real=10.0.100.101 masq
service=none
scheduler=wlc
protocol=fwm
checktype=ping
# checktype=connect
# checkport=500
iptables is configures accordingly:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- 0.0.0.0/0 10.0.100.100 MARK set
0x1
MARK all -- 0.0.0.0/0 10.0.100.101 MARK set
0x1
and
# IPSec
-A INPUT -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
# IPSec/IKE
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
Usual stuff (net.ipv4.ip_forward = 1, net.ipv4.conf.eth0.arp_ignore = 1,
net.ipv4.conf.eth0.arp_announce = 2) is also in place.
However, although ldirectord sees the terminators up and running,
nothing happens when trying to initiate an IKE.
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
FWM 1 wlc
-> 10.0.100.100:0 Masq 1 0 0
-> 10.0.100.101:0 Masq 1 0 0
Any idea what may be wrong here? I see packets coming in on the front
door, but nothing happens after this.
Is it even possible to "load balance" IPSec this way?
Best regards,
Bernd
_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/
LinuxVirtualServer.org mailing list - lvs-users@LinuxVirtualServer.org
Send requests to lvs-users-request@LinuxVirtualServer.org
or go to http://lists.graemef.net/mailman/listinfo/lvs-users