Hi Bernd, I noticed a couple of things, which are hopefully useful.
On 05/19/2014 10:27 AM, Bernd wrote: > Hi List, > > I'm about to try something like this: > > +----------+ +------------------+ > /------ IPSec terminator 1 (10.0.100.100) > Road warriors (Clients) <---> | internet | <---> | LVS (ldirectord) | > ==== > +----------+ +-------(NAT)------+ > \------ IPSec terminator 2 (10.0.100.101) > > Read: Road warriors connect to a LVS machine (managed by ldirectord) > which in turn forwards IPSec to backend (real) servers. > > Hence NAT is being used, only ESP may work (if at all), as NAT destroys > AH. I'm using fwmarks, as it should be as transparent as possible. > > ldirectord.cf: > > virtual=1 > real=10.0.100.100 masq > real=10.0.100.101 masq > service=none > scheduler=wlc > protocol=fwm > checktype=ping > # checktype=connect > # checkport=500 > > iptables is configures accordingly: > > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > MARK all -- 0.0.0.0/0 10.0.100.100 MARK set > 0x1 > MARK all -- 0.0.0.0/0 10.0.100.101 MARK set > 0x1 > > and > > # IPSec > -A INPUT -p 50 -j ACCEPT > -A INPUT -p 51 -j ACCEPT > > # IPSec/IKE > -A INPUT -p udp -m udp --dport 500 -j ACCEPT > -A INPUT -p udp -m udp --dport 4500 -j ACCEPT If you're using NAT, I don't see a SNAT so that the real servers can talk to the outside world. What is the output of the "iptables -L -t nat" command? > > Usual stuff (net.ipv4.ip_forward = 1, net.ipv4.conf.eth0.arp_ignore = 1, > net.ipv4.conf.eth0.arp_announce = 2) is also in place. If you're doing NAT, why do you need the arp_ignore and arp_annouce? As far as I know you only need that if you're doing LVS-DR. > > However, although ldirectord sees the terminators up and running, > nothing happens when trying to initiate an IKE. > > IP Virtual Server version 1.2.1 (size=4096) > Prot LocalAddress:Port Scheduler Flags > -> RemoteAddress:Port Forward Weight ActiveConn InActConn > FWM 1 wlc > -> 10.0.100.100:0 Masq 1 0 0 > -> 10.0.100.101:0 Masq 1 0 0 > > Any idea what may be wrong here? I see packets coming in on the front > door, but nothing happens after this. > > Is it even possible to "load balance" IPSec this way? > > Best regards, > > Bernd > > _______________________________________________ Please read the documentation before posting - it's available at: http://www.linuxvirtualserver.org/ LinuxVirtualServer.org mailing list - [email protected] Send requests to [email protected] or go to http://lists.graemef.net/mailman/listinfo/lvs-users
