[Openswan Users] QoS

Marc Spiegelman marc at itu.net
Thu Nov 24 14:18:18 CET 2005 

I also have an IPSEC/VOIP environment and have often pondered
implementing QOS on my OpenSwan box but it didn't seem possible. I
REALLY hope you get this figured out (so I can ask you).  

My situation is a little different since I want to boost priority of
voice traffic on the encryption side. My question my may help both of
us.  Can someone explain the order of operation a packet goes through
with regard to HTB/NAT and IPSEC in detail?

Since my IPTables configuration does not require me to exclude
rightsubnet=<inside subnet> destined to leftsubnet=<outside subnet>
(like my Cisco requires), I always assumed OpenSwan snatches the packet
before IPTables can look at it.  Is this a correct assumption?  If
correct, I assumed QOS is not possible on tunnel bound traffic since
IPTables can not get a hold of the traffic flow.

Ken commented, "You can (at least with KLIPS) implement QoS rules on the
ipsec0 interface, which would control the order of the packets
entering/leaving."  Am I correct in assuming I can grab a packet from an
IPSEC interface before it is encrypted? Can I get an example?



-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Lionel Cottin
Sent: Thursday, November 24, 2005 4:54 AM
To: users at openswan.org
Subject: [Openswan Users] QoS

Dear All,

I'm currently running OpenSwan to connect about 30 locations worldwide 
in a hubs and spokes topology (3 hubs).
Next, I would like to make use of the same infrastructure for a global 
VoIP project.
This immediately leads to QoS considerations and I'm wondering if 
OpenSwan is "translating" QoS information from the inner header (non 
encrypted packet) to the outer header (encrypted packet). This would 
allow me to classify IPSEC traffic based on CoS/DSCP or whatever on 
access routers....

But this also leads to another (probably stupid) question: if there's 
only one IPSEC tunnel for both data and voice traffic, is it possible to

decrypt and forward "voice" packets arriving before "data" packets even 
if the "data" packet had been encrypted before the "voice" one ? Should 
decryption occur in the same order than encryption ? Should I create 2 
different tunnels to handle voice and data traffic and to implement QoS 
on IPSec traffic ?


I'd be happy to gather your comments or suggestions on this matter 
before I start building my test lab environment ;-)

Regards,
Lionel
_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list