Mailing List Archive

[lvs-users] LVS-TUN IPv6 questions

I am trying to setup a simple, dual-stack LVS-TUN cluster and I've
stumbled on the IPv6 setup of the realserver. I did get it to work after
all, but I still wonder whether I've got it totally wrong.

All systems are Debian Wheezy based with Linux 3.2.0, ipvsadm v1.26.

This is my working configuration:

# director
ip addr add scope global dev eth0
ip -6 addr add 2001:648:2ffc:106::85/128 scope global dev eth0
preferred_lft 0
ipvsadm -R <<EOF
-A -t -s rr
-a -t -r -i -w 1
-A -t [2001:648:2ffc:106::85]:80 -s rr
-a -t [2001:648:2ffc:106::85]:80 -r [2001:648:2ffc:100::213]:80 -i -w 1

# realserver
ip ip addr add dev tunl0 brd
ip link set dev tunl0 up
ip -6 tunnel add lvs6tun0 mode ip6ip6 local 2001:648:2ffc:100::213
remote 2001:648:2ffc:106::78 dev eth0
ip link set dev lvs6tun0 up
ip -6 addr add 2001:648:2ffc:106::85 dev lvs6tun0

At first I tried to setup the ipv6 tunnel interface following the
guidelines for ipv4. I could not use tunl0 since the encapsulation is
different (ip6ip6):

ip -6 addr add dev ip6tnl0 2001:648:2ffc:106::85/128 scope global
ip link set dev ip6tnl0 up

This didn't work; no traffic on ip6tnl0 and I noticed the realserver was
sending icmp6 parameter problem back to the director.

Then I tried to get the director to use 6-in-4 encapsulation (SIT),
which perhaps would be easier to setup on the realserver (like IPIP for

ipvsadm -t [2001:648:2ffc:106::85]:80 -r -i -w 1

This also didn't work; ipvsadm -l shows this:

Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP [2001:648:2ffc:106::85]:http rr
-> [c2b1:d2d5:2ffc:106::85]:http Tunnel 1 0 0

This matches the 32 bits of the realserver ipv4 address + the last 96
bits of the service address.

Finally when I did get to setup the tunnel as in the working
configuration above, it still didn't work until I set the remote
endpoint. Not being able to use "remote any" means I have to setup a
different tunnel for every director.

So I wonder whether it is at all possible to use a setup similar to
ipv4, without an explicit tunnel setup or at least without specifying a
remote endpoint. I would rather use iptables rules to limit the
endpoints (directors) that can send tunneled traffic to the realserver.
I'm also curious if IPVS can do ipv6-in-ipv4 encapsulation.

Thanks in advance for your insight.

Zenon Mousmoulas

Please read the documentation before posting - it's available at: mailing list -
Send requests to
or go to