[Openswan Users] Re: [LARTC] OpenSwan traffic shaping with HTB & sfq

lee huughes toxicnaan at gmail.com
Fri May 6 19:19:20 CEST 2005


on 2.6 kernel's using KAME, there in no concept of extra 'ipsecX'
interfaces, what are you supposed to do then? I presume you treat it
as you would any other traffic? the ipsec tunnel should be
transparent!?

correct me if I'm wrong


On 5/4/05, Sylvain BERTRAND <sylvain at 2001-space-odyssey.net> wrote:
> On Mer 4 mai 2005 9:34, Lewis Shobbrook a écrit :
> > Hi All,
> >
> > I've got an interoffice IPSEC VPN in place that I'm trying to give
> > priority to terminal service (tcp 3389) traffic.
> > I've created rules at each end, but have hit a bit of a dillemma.  As
> > the data is encrypted I must also give highest priority to protocol 50
> > otherwise the priority is lost as the packet gets encrypted.
> > When I do this however, I can't slow people dragging large files across
> > the VPN and disrupting the Terminal users.
> > This is an example of some of the rules in place.  I can protect the VPN
> > traffic from other internet traffic such as email etc, but not from
> > themselves if you know what I mean.
> >
> > tc qdisc del dev $NET_IF root
> > tc qdisc add dev $NET_IF root handle 1: htb default 30
> >
> > tc class add dev $NET_IF parent 1: classid 1:1 htb rate 512Kbit burst
> > 15Kb
> > tc class add dev $NET_IF parent 1:1 classid 1:20 htb rate 128Kbit ceil
> > 512Kbit burst 15Kb prio 1
> > tc class add dev $NET_IF parent 1:1 classid 1:30 htb rate 10Kbit ceil
> > 512Kbit burst 15Kb prio 2
> >
> > tc qdisc add dev $NET_IF parent 1:10 handle 10: sfq perturb 10
> > tc qdisc add dev $NET_IF parent 1:20 handle 20: sfq perturb 10
> > tc qdisc add dev $NET_IF parent 1:30 handle 30: sfq perturb 10
> >
> > tc class add dev $NET_IF parent 1:1 classid 1:10 htb rate 512Kbit burst
> > 15Kb prio 0
> > tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip sport
> > 3389 0xffff flowid 1:10
> > tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip src
> > $termserver_ip match ip sport 3389 0xffff flowid 1:10
> > Etc etc...
> >
> > Has anyone come across this before and found a solution?
> >
> > Any suggestions appreciated.
> >
> > Cheers,
> >
> > Lewis
> >
> 
> I'm not familiar with OpenSwan /per se/, but if you had an intermediate
> interface (like ipsec0), you'll be able to apply traffic control first on
> the unencrypted TCP packets, and then on the IPSEC packets.
> Someone correct me if I'm wrong...
> 
> Regards,
> 
> Sylvain
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>


More information about the Users mailing list