Project

General

Profile

Issue #2464

How to Loadbalance strongswan IPsec via NGINX?

Added by Houman Kh about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.6.0
Resolution:

Description

Hello,

I have created two servers with Strongswan (IPsec) and would like to load balance between them.
I have setup a third server with NGINX as UDP-loadbalancer like this:

stream {
        upstream backend500 {
                hash $remote_addr consistent;
                server 172.31.9.51:500 fail_timeout=10s;
                server 172.31.20.140:500 fail_timeout=10s;
        }
        upstream backend4500 {
                hash $remote_addr consistent;
                server 172.31.9.51:4500 fail_timeout=10s;
                server 172.31.20.140:4500 fail_timeout=10s;
        }
        server {
                listen          500 udp;
                proxy_pass      backend500;
                proxy_timeout   1s;
                proxy_responses 1;
                error_log       /var/log/nginx/dns.log;
        }
        server {
                listen          4500 udp;
                proxy_pass      backend4500;
                proxy_timeout   1s;
                proxy_responses 1;
                error_log       /var/log/nginx/dns.log;
        }
}

Unfortunately, it doesn't quite connect and I get this on the log of server 1:
Server 1: 172.31.9.51
Server 2: 172.31.20.140
Load Balancer: 172.31.2.189

Nov 12 18:09:45 ip-172-31-9-51 charon: 04[NET] received packet: from 172.31.2.189[35353] to 172.31.9.51[500] (300 bytes)
Nov 12 18:09:45 ip-172-31-9-51 charon: 04[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 04[IKE] 172.31.2.189 is initiating an IKE_SA
Nov 12 18:09:45 ip-172-31-9-51 charon: 04[IKE] local host is behind NAT, sending keep alives
Nov 12 18:09:45 ip-172-31-9-51 charon: 04[IKE] remote host is behind NAT
Nov 12 18:09:45 ip-172-31-9-51 charon: 04[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 04[NET] sending packet: from 172.31.9.51[500] to 172.31.2.189[35353] (316 bytes)
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[NET] received packet: from 172.31.2.189[50916] to 172.31.9.51[4500] (352 bytes)
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] unknown attribute type (25)
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[CFG] looking for peer configs matching 172.31.9.51[vpn2.t.com]...172.31.2.189[vpn2.t.com]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[CFG] selected peer config 'roadwarrior'
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[IKE] initiating EAP_IDENTITY method (id 0x00)
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[IKE] peer supports MOBIKE
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[IKE] authentication of 'vpn2.t.com' (myself) with RSA signature successful
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[IKE] sending end entity cert "CN=vpn2.t.com" 
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[IKE] sending issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3" 
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] generating IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] splitting IKE message with length of 3334 bytes into 7 fragments
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] generating IKE_AUTH response 1 [ EF(1/7) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] generating IKE_AUTH response 1 [ EF(2/7) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] generating IKE_AUTH response 1 [ EF(3/7) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] generating IKE_AUTH response 1 [ EF(4/7) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] generating IKE_AUTH response 1 [ EF(5/7) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] generating IKE_AUTH response 1 [ EF(6/7) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[ENC] generating IKE_AUTH response 1 [ EF(7/7) ]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[50916] (544 bytes)
Nov 12 18:09:45 ip-172-31-9-51 charon: message repeated 5 times: [ 03[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[50916] (544 bytes)]
Nov 12 18:09:45 ip-172-31-9-51 charon: 03[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[50916] (440 bytes)
Nov 12 18:09:48 ip-172-31-9-51 charon: 02[NET] received packet: from 172.31.2.189[42019] to 172.31.9.51[4500] (352 bytes)
Nov 12 18:09:48 ip-172-31-9-51 charon: 02[ENC] unknown attribute type (25)
Nov 12 18:09:48 ip-172-31-9-51 charon: 02[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]
Nov 12 18:09:48 ip-172-31-9-51 charon: 02[IKE] received retransmit of request with ID 1, retransmitting response
Nov 12 18:09:48 ip-172-31-9-51 charon: 02[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[42019] (544 bytes)
Nov 12 18:09:48 ip-172-31-9-51 charon: message repeated 5 times: [ 02[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[42019] (544 bytes)]
Nov 12 18:09:48 ip-172-31-9-51 charon: 02[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[42019] (440 bytes)
Nov 12 18:09:51 ip-172-31-9-51 charon: 01[NET] received packet: from 172.31.2.189[37918] to 172.31.9.51[4500] (352 bytes)
Nov 12 18:09:51 ip-172-31-9-51 charon: 01[ENC] unknown attribute type (25)
Nov 12 18:09:51 ip-172-31-9-51 charon: 01[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]
Nov 12 18:09:51 ip-172-31-9-51 charon: 01[IKE] received retransmit of request with ID 1, retransmitting response
Nov 12 18:09:51 ip-172-31-9-51 charon: 01[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[37918] (544 bytes)
Nov 12 18:09:51 ip-172-31-9-51 charon: message repeated 5 times: [ 01[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[37918] (544 bytes)]
Nov 12 18:09:51 ip-172-31-9-51 charon: 01[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[37918] (440 bytes)
Nov 12 18:09:54 ip-172-31-9-51 charon: 06[NET] received packet: from 172.31.2.189[37230] to 172.31.9.51[4500] (352 bytes)
Nov 12 18:09:54 ip-172-31-9-51 charon: 06[ENC] unknown attribute type (25)
Nov 12 18:09:54 ip-172-31-9-51 charon: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6 (25)) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(EAP_ONLY) ]
Nov 12 18:09:54 ip-172-31-9-51 charon: 06[IKE] received retransmit of request with ID 1, retransmitting response
Nov 12 18:09:54 ip-172-31-9-51 charon: 06[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[37230] (544 bytes)
Nov 12 18:09:54 ip-172-31-9-51 charon: message repeated 5 times: [ 06[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[37230] (544 bytes)]
Nov 12 18:09:54 ip-172-31-9-51 charon: 06[NET] sending packet: from 172.31.9.51[4500] to 172.31.2.189[37230] (440 bytes)

I would really appreciate it if someone could advise this regarding.
Many Thanks,
Houman

Also available in: Atom PDF