[Openswan Users] QoS

Lionel Cottin cottin at free.fr
Fri Dec 2 10:40:08 CET 2005




>On Thu, 24 Nov 2005, Lionel Cottin wrote:
>
>  
>
>>I'm currently running OpenSwan to connect about 30 locations worldwide in a
>>hubs and spokes topology (3 hubs).
>>Next, I would like to make use of the same infrastructure for a global VoIP
>>project.
>>    
>>
>
>Cool :)
>
>  
>
>>This immediately leads to QoS considerations and I'm wondering if OpenSwan is
>>"translating" QoS information from the inner header (non encrypted packet) to
>>the outer header (encrypted packet). This would allow me to classify IPSEC
>>traffic based on CoS/DSCP or whatever on access routers....
>>
>>But this also leads to another (probably stupid) question: if there's only one
>>IPSEC tunnel for both data and voice traffic, is it possible to decrypt and
>>forward "voice" packets arriving before "data" packets even if the "data"
>>packet had been encrypted before the "voice" one ? Should decryption occur in
>>the same order than encryption ? Should I create 2 different tunnels to handle
>>voice and data traffic and to implement QoS on IPSec traffic ?
>>
>>
>>I'd be happy to gather your comments or suggestions on this matter before I
>>start building my test lab environment ;-)
>>    
>>
>
>Probably the easiest to do would be to do QoS seperate from the IPsec gateway.
>If using KLIPS, you might be able to do QoS on the internal ethernet interface,
>before it hits the IPsec machinery. That might be harder to do with NETKEY.
>
>That way, you do not need to worry about what IPsec does with QoS.
>  
>
You're probably right. I will give it a try soon.

Thanks ;-)
Lionel


More information about the Users mailing list