[Openswan Users] openswan + ipvs : route back problem
Sebastien COUPPEY
sebastien.couppey at zero9.it
Mon Oct 20 06:57:35 EDT 2008
ciao,
So does anybody managed to get lvs working with openswan netkey on the
same server ?
As I am still facing configuration problem, I was wondering if someone
could post a configuration example.
Thank a lot,
On Fri, Oct 10, 2008 at 10:32:20AM +0200, Sebastien COUPPEY wrote:
> Hello,
>
> I am facing difficulties with my chain :
>
> client - ipsec -... - openswan - ipvs - Real servers.
>
> where openvpn+ipvs are on the same server.
>
> It seems that the return packets never arrive to the clients.
>
> Architecture :
>
> client :10.44.0.254
> |
> |
> \
> +----+----+
> | node A |
> | |
> +---+-----+
> |
> |
> |
> |
> |
> +------+--------+
> | node B |
> | openswan | 2.4.14
> | ipvs | VIP: 10.4.0.30
> +------X--------+
> -/\____
> / \-
> -/ \
> -/ \
> / \
> RealServer1 RealServer2
> 10.0.1.60
>
>
>
> Ldirector configuration :
>
> virtual=10.4.0.30:80
> real=10.0.1.60:80 masq
> service=http
> protocol=tcp
> checktype=on
>
>
> Here is my openswan configuration :
>
> conn test-to-wasabi
> authby=secret
> right=xxx.xxx.xxx.xxx
> rightsubnet=10.44.0.0/24
> left=aaa.aaa.aaa.bbb
> leftsubnet=10.4.0.30/32
> leftsourceip=10.4.0.30
> ike=aes256-sha1
> esp=aes256-sha1
> # auto=ignore
> auto=start
>
>
> Has someone already faced the problem ?
> tcpDumps taken from the openswan server and the real server are attached.
>
>
> Thanks
> OPENSWAN server :
> # tcpdump -i any -n port 80 or host 10.44.0.254 or host 10.4.0.30
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
>
>
> 10:23:48.914501 IP 10.44.0.254.57929 > 10.4.0.30.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059614571 0,nop,wscale 5>
> 10:23:48.914573 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059614571 0,nop,wscale 5>
> 10:23:48.914591 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059614571 0,nop,wscale 5>
> 10:23:48.914615 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656182468 3059614571,nop,wscale 7>
> 10:23:48.915915 arp who-has 10.44.0.254 tell 10.4.0.30
> 10:23:49.915572 arp who-has 10.44.0.254 tell 10.4.0.30
> 10:23:50.915650 arp who-has 10.44.0.254 tell 10.4.0.30
> 10:23:51.914482 IP 10.44.0.254.57929 > 10.4.0.30.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059617571 0,nop,wscale 5>
> 10:23:51.914515 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059617571 0,nop,wscale 5>
> 10:23:51.914517 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059617571 0,nop,wscale 5>
> 10:23:51.914619 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656185468 3059614571,nop,wscale 7>
> 10:23:51.915382 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, length 68
> 10:23:51.915394 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, length 68
> 10:23:52.314340 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656185868 3059614571,nop,wscale 7>
> 10:23:52.315421 arp who-has 10.44.0.254 tell 10.4.0.30
> 10:23:53.315210 arp who-has 10.44.0.254 tell 10.4.0.30
> 10:23:54.315279 arp who-has 10.44.0.254 tell 10.4.0.30
> 10:23:55.316106 IP 10.4.0.30 > 10.4.0.30: ICMP host 10.44.0.254 unreachable, length 68
>
>
> Ping from the openswan server :
> # ping -I 10.4.0.30 10.44.0.254
> PING 10.44.0.254 (10.44.0.254) from 10.4.0.30 : 56(84) bytes of data.
> 64 bytes from 10.44.0.254: icmp_seq=1 ttl=63 time=36.6 ms
> 64 bytes from 10.44.0.254: icmp_seq=2 ttl=63 time=36.4 ms
>
>
>
>
>
> Realserver
>
> # tcpdump -i bond0 -n port 80
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on bond0, link-type EN10MB (Ethernet), capture size 96 bytes
>
> 10:23:48.909576 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059614571 0,nop,wscale 5>
> 10:23:48.909645 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656182468 3059614571,nop,wscale 7>
> 10:23:51.909559 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059617571 0,nop,wscale 5>
> 10:23:51.909566 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656185468 3059614571,nop,wscale 7>
> 10:23:52.309288 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656185868 3059614571,nop,wscale 7>
> 10:23:57.910154 IP 10.44.0.254.57929 > 10.0.1.60.http: S 2085184363:2085184363(0) win 5840 <mss 1460,sackOK,timestamp 3059623571 0,nop,wscale 5>
> 10:23:57.910160 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656191468 3059614571,nop,wscale 7>
> 10:23:58.309446 IP 10.0.1.60.http > 10.44.0.254.57929: S 1957768207:1957768207(0) ack 2085184364 win 5792 <mss 1460,sackOK,timestamp 2656191868 3059614571,nop,wscale 7>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list