[Openswan Users] OpenSwan traffic shaping with HTB & sfq

[Lewis Shobbrook]

Hi All,

I've got an interoffice IPSEC VPN in place that I'm trying to give
priority to terminal service (tcp 3389) traffic.
I've created rules at each end, but have hit a bit of a dillemma.  As
the data is encrypted I must also give highest priority to protocol 50
otherwise the priority is lost as the packet gets encrypted.  
When I do this however, I can't slow people dragging large files across
the VPN and disrupting the Terminal users. 
This is an example of some of the rules in place.  I can protect the VPN
traffic from other internet traffic such as email etc, but not from
themselves if you know what I mean.

tc qdisc del dev $NET_IF root
tc qdisc add dev $NET_IF root handle 1: htb default 30

tc class add dev $NET_IF parent 1: classid 1:1 htb rate 512Kbit burst
15Kb
tc class add dev $NET_IF parent 1:1 classid 1:20 htb rate 128Kbit ceil
512Kbit burst 15Kb prio 1
tc class add dev $NET_IF parent 1:1 classid 1:30 htb rate 10Kbit ceil
512Kbit burst 15Kb prio 2

tc qdisc add dev $NET_IF parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $NET_IF parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $NET_IF parent 1:30 handle 30: sfq perturb 10

tc class add dev $NET_IF parent 1:1 classid 1:10 htb rate 512Kbit burst
15Kb prio 0
tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip sport
3389 0xffff flowid 1:10
tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip src
$termserver_ip match ip sport 3389 0xffff flowid 1:10
Etc etc...

Has anyone come across this before and found a solution?

Any suggestions appreciated.

Cheers,

Lewis