[Openswan dev] Linux VPN
mcr at sandelman.ottawa.on.ca
Thu Jun 30 14:09:34 CEST 2005
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Ido" == Ido <Goshen> writes:
Ido> 1. IPSEC and QoS - Is there a way to prevent QoS from
Ido> reordering of IPSEC packets? Disordering of packets is
Ido> critical to IPSEC If understand correctly (probably not) IPSEC
Ido> handling is done within POST_ROUTING. Traffic-shaping queues
Ido> are attached to a device, which is done afterward.
IPsec can tolerate a certain amount of packet re-ordering. It uses a
32 or 64 packet window to receive things.
Neither QoS, nor NETKEY or KLIPS IPsec is not done within POST_ROUTING.
Ido> 2. IPSEC policy per interface. Can packet be matched upon
Ido> their in/out interface ? I haven't seen that interface can be
Ido> specified in any method of setting IPSEC rules (e.g. spdadd in
Ido> 2.6 native ipsec, or ipsec auto -add in KLIPS of OpenSwan)
You can not do that.
It will be possible in KLIPS3, but we have no release date for that
] Michael Richardson Xelerance Corporation, Ottawa, ON | firewalls [
] mcr @ xelerance.com Now doing IPsec training, see |net architect[
] http://www.sandelman.ca/mcr/ www.xelerance.com/training/ |device driver[
] I'm a dad: http://www.sandelman.ca/lrmr/ [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev