[Openswan Users] freeswan-1.99
Paul Wouters
paul at xelerance.com
Tue Feb 7 21:56:30 CET 2006
On Tue, 7 Feb 2006, Jason Sigurdur wrote:
> Hi, for the past 3 years I have been using redhat 8.0 and freeswan-1.99
> for our vpn/routing info structure.
> Recently, we have been doing some voip over our vpn's in which all
> traffic will be marked before encryption as 'EF' TOS(0xb8).
> Anyway our ISP remarks all packets entering their network as AF11. I
> noticed that after the traffic reaches its destination that the outside
> ESP traffic is af11 but after decryption the TOS/DS field retains its
> original value.
>
> Is it not by default that ipsec transposes the TOS/DS value to the upper
> encapsulating packet ?
You will have to add hidetos=no to the config setup section of your ipsec.conf.
By default, the TOS field of tunnel packets is zeroed; with hidetos=no, it is
copied from the packet inside.
>From Henry's comments:
Copying the TOS (type of service) information from the encapsulated packet to
the outer header reveals the TOS information to an eavesdropper. This does not
tell him much, but it might be of use in traffic analysis. Since we do not
have to give it to him, our default is not to.
Even with the TOS hidden, you can still:
* apply QOS rules to the tunneled (ESP) packets; for example, by giving
ESP packets a certain priority.
* apply QOS rules to the packets as they enter or exit the tunnel via an
IPsec virtual interface (eg. ipsec0).
See ipsec.conf(5) for more on the hidetos= parameter.
More information about the Users
mailing list