[Openswan Users]
Re: [LARTC] OpenSwan traffic shaping with HTB & sfq
Sylvain BERTRAND
sylvain at 2001-space-odyssey.net
Wed May 4 10:48:21 CEST 2005
On Mer 4 mai 2005 9:34, Lewis Shobbrook a écrit :
> Hi All,
>
> I've got an interoffice IPSEC VPN in place that I'm trying to give
> priority to terminal service (tcp 3389) traffic.
> I've created rules at each end, but have hit a bit of a dillemma. As
> the data is encrypted I must also give highest priority to protocol 50
> otherwise the priority is lost as the packet gets encrypted.
> When I do this however, I can't slow people dragging large files across
> the VPN and disrupting the Terminal users.
> This is an example of some of the rules in place. I can protect the VPN
> traffic from other internet traffic such as email etc, but not from
> themselves if you know what I mean.
>
> tc qdisc del dev $NET_IF root
> tc qdisc add dev $NET_IF root handle 1: htb default 30
>
> tc class add dev $NET_IF parent 1: classid 1:1 htb rate 512Kbit burst
> 15Kb
> tc class add dev $NET_IF parent 1:1 classid 1:20 htb rate 128Kbit ceil
> 512Kbit burst 15Kb prio 1
> tc class add dev $NET_IF parent 1:1 classid 1:30 htb rate 10Kbit ceil
> 512Kbit burst 15Kb prio 2
>
> tc qdisc add dev $NET_IF parent 1:10 handle 10: sfq perturb 10
> tc qdisc add dev $NET_IF parent 1:20 handle 20: sfq perturb 10
> tc qdisc add dev $NET_IF parent 1:30 handle 30: sfq perturb 10
>
> tc class add dev $NET_IF parent 1:1 classid 1:10 htb rate 512Kbit burst
> 15Kb prio 0
> tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip sport
> 3389 0xffff flowid 1:10
> tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip src
> $termserver_ip match ip sport 3389 0xffff flowid 1:10
> Etc etc...
>
> Has anyone come across this before and found a solution?
>
> Any suggestions appreciated.
>
> Cheers,
>
> Lewis
>
I'm not familiar with OpenSwan /per se/, but if you had an intermediate
interface (like ipsec0), you'll be able to apply traffic control first on
the unencrypted TCP packets, and then on the IPSEC packets.
Someone correct me if I'm wrong...
Regards,
Sylvain
More information about the Users
mailing list