[Openswan Users] ifb ipsec and traffic shaping problem

[John McMonagle]

Both ipsec and the decoded packets are seen on the incoming port and 
also the the ifb device.
Problem is they are both being counted in traffic calculations :-(

Did download tests and with traffic shaping enabled and rate via ipsec  
is half that direct.
With traffic shaping disabled rates are the same.

Actually not a new problem but just became aware of it and it is really 
a ipsec and tc problem.
See same problem on existing routers with ingress.
Was suspicious for a long time but never tested it.
Working on a new firewall routers.
Using 2.6 kernel ipsec. Debian Lenny and new Shorewall 4.2.

Any Ideas?

I can think of 2 possibilities:

Some how get tc to disregard the decoded packets in the speed calculation.
Possibly send to a separate class?  Do not know tc well enough and looks 
like the lartc mailing list is dead :-(  Any alternatives to the lartc 
mailing list?  I hate to think that traffic shaping and native ipsec are 
incompatible.

Or use klips.

John




-------------- next part --------------
A non-text attachment was scrubbed...
Name: johnm.vcf
Type: text/x-vcard
Size: 250 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20081003/edfc9907/attachment.vcf