[Openswan Users] openswan + ipvs : route back problem

Sebastien COUPPEY sebastien.couppey at zero9.it
Fri Oct 10 04:32:20 EDT 2008 

Hello,

I am facing difficulties with my chain :
 
  client - ipsec -... - openswan - ipvs - Real servers.
  
where openvpn+ipvs are on the same server.

It seems that the return packets never arrive to the clients.
  
Architecture :
 
client :10.44.0.254 
     |
    |
     \
+----+----+
| node A  |
|         |
+---+-----+
    |
    |
    |
    |
    |
+------+--------+
|    node B     |
|   openswan    | 2.4.14
|    ipvs       | VIP: 10.4.0.30
+------X--------+
      -/\____
      /      \-
    -/         \
   -/           \
   /              \
RealServer1      RealServer2 	 	 	 	
10.0.1.60        



Ldirector configuration :

virtual=10.4.0.30:80
        real=10.0.1.60:80 masq
        service=http
        protocol=tcp
        checktype=on
 																 			   	 	 		    

Here is my openswan configuration :

conn test-to-wasabi
    authby=secret
    right=xxx.xxx.xxx.xxx
    rightsubnet=10.44.0.0/24
    left=aaa.aaa.aaa.bbb
    leftsubnet=10.4.0.30/32
    leftsourceip=10.4.0.30
    ike=aes256-sha1
    esp=aes256-sha1
#    auto=ignore
    auto=start


Has someone already faced the problem ?
tcpDumps taken from the openswan server and the real server are attached.


Thanks 
-------------- next part --------------
OPENSWAN server :
# tcpdump -i any -n port 80 or host 10.44.0.254 or host 10.4.0.30
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes


10:23:48.914501 IP 10.44.0.254.57929 > 10.4.0.30.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059614571 0,nop,wscale 5>
10:23:48.914573 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059614571 0,nop,wscale 5>
10:23:48.914591 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059614571 0,nop,wscale 5>
10:23:48.914615 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656182468 3059614571,nop,wscale 7>
10:23:48.915915 arp who-has 10.44.0.254 tell 10.4.0.30
10:23:49.915572 arp who-has 10.44.0.254 tell 10.4.0.30
10:23:50.915650 arp who-has 10.44.0.254 tell 10.4.0.30
10:23:51.914482 IP 10.44.0.254.57929 > 10.4.0.30.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059617571 0,nop,wscale 5>
10:23:51.914515 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059617571 0,nop,wscale 5>
10:23:51.914517 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059617571 0,nop,wscale 5>
10:23:51.914619 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656185468 3059614571,nop,wscale 7>
10:23:51.915382 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, length 68
10:23:51.915394 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, length 68
10:23:52.314340 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656185868 3059614571,nop,wscale 7>
10:23:52.315421 arp who-has 10.44.0.254 tell 10.4.0.30
10:23:53.315210 arp who-has 10.44.0.254 tell 10.4.0.30
10:23:54.315279 arp who-has 10.44.0.254 tell 10.4.0.30
10:23:55.316106 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, length 68


Ping from the openswan server : 
# ping -I 10.4.0.30 10.44.0.254
PING 10.44.0.254 (10.44.0.254) from 10.4.0.30 : 56(84) bytes of data.
64 bytes from 10.44.0.254: icmp_seq=1 ttl=63 time=36.6 ms
64 bytes from 10.44.0.254: icmp_seq=2 ttl=63 time=36.4 ms





Realserver

# tcpdump -i bond0 -n port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes

10:23:48.909576 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059614571 0,nop,wscale 5>
10:23:48.909645 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656182468 3059614571,nop,wscale 7>
10:23:51.909559 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059617571 0,nop,wscale 5>
10:23:51.909566 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656185468 3059614571,nop,wscale 7>
10:23:52.309288 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656185868 3059614571,nop,wscale 7>
10:23:57.910154 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059623571 0,nop,wscale 5>
10:23:57.910160 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656191468 3059614571,nop,wscale 7>
10:23:58.309446 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656191868 3059614571,nop,wscale 7>

More information about the Users mailing list