[Openswan Users] QoS

Paul Wouters paul at xelerance.com
Thu Nov 24 20:35:12 CET 2005


On Thu, 24 Nov 2005, Lionel Cottin wrote:

> I'm currently running OpenSwan to connect about 30 locations worldwide in a
> hubs and spokes topology (3 hubs).
> Next, I would like to make use of the same infrastructure for a global VoIP
> project.

Cool :)

> This immediately leads to QoS considerations and I'm wondering if OpenSwan is
> "translating" QoS information from the inner header (non encrypted packet) to
> the outer header (encrypted packet). This would allow me to classify IPSEC
> traffic based on CoS/DSCP or whatever on access routers....
>
> But this also leads to another (probably stupid) question: if there's only one
> IPSEC tunnel for both data and voice traffic, is it possible to decrypt and
> forward "voice" packets arriving before "data" packets even if the "data"
> packet had been encrypted before the "voice" one ? Should decryption occur in
> the same order than encryption ? Should I create 2 different tunnels to handle
> voice and data traffic and to implement QoS on IPSec traffic ?
>
>
> I'd be happy to gather your comments or suggestions on this matter before I
> start building my test lab environment ;-)

Probably the easiest to do would be to do QoS seperate from the IPsec gateway.
If using KLIPS, you might be able to do QoS on the internal ethernet interface,
before it hits the IPsec machinery. That might be harder to do with NETKEY.

That way, you do not need to worry about what IPsec does with QoS.

Paul


More information about the Users mailing list