[Openswan Users] QoS

Ken Bantoft ken at xelerance.com
Thu Nov 24 21:34:37 CET 2005


On Thu, 24 Nov 2005, Lionel Cottin wrote:

> Dear All,
>
> I'm currently running OpenSwan to connect about 30 locations worldwide in a 
> hubs and spokes topology (3 hubs).
> Next, I would like to make use of the same infrastructure for a global VoIP 
> project.
> This immediately leads to QoS considerations and I'm wondering if OpenSwan is 
> "translating" QoS information from the inner header (non encrypted packet) to 
> the outer header (encrypted packet). This would allow me to classify IPSEC 
> traffic based on CoS/DSCP or whatever on access routers....

Default option is to strip the ToS/QoS information, but it's a setting you 
can change:

hidetos=no

and Openswan will copy the data

> But this also leads to another (probably stupid) question: if there's only 
> one IPSEC tunnel for both data and voice traffic, is it possible to decrypt 
> and forward "voice" packets arriving before "data" packets even if the "data" 
> packet had been encrypted before the "voice" one ? Should decryption occur in 
> the same order than encryption ? Should I create 2 different tunnels to 
> handle voice and data traffic and to implement QoS on IPSec traffic ?

You while you can't tell it to decrypt one packet before the other, you 
can (at least with KLIPS) implement QoS rules on the ipsec0 interface, 
which would control the order of the packets entering/leaving.

I did this for some transatlantic VPNs in the pre-VOIP era so interactive 
(ssh/telnet) traffic had less lag than bulk.  We used IMQ and HTB3, I'm 
not sure if they are still be best options out there.

Ken


More information about the Users mailing list