Re: [LARTC] OpenSwan traffic shaping with HTB & sfq

["Taylor, Grant" <gtaylor@riverviewtech.net>]

> Hi All,
> 
> I've got an interoffice IPSEC VPN in place that I'm trying to give
> priority to terminal service (tcp 3389) traffic.
> I've created rules at each end, but have hit a bit of a dillemma.  As
> the data is encrypted I must also give highest priority to protocol 50
> otherwise the priority is lost as the packet gets encrypted.  
> When I do this however, I can't slow people dragging large files across
> the VPN and disrupting the Terminal users. 
> This is an example of some of the rules in place.  I can protect the VPN
> traffic from other internet traffic such as email etc, but not from
> themselves if you know what I mean.

I /think/ that there are some patches for OpenS/WAN that change where the traffic passing through the VPN gets encrypted such that you could QoS / TC the traffic for just RDP.  I think this patch works by having the traffic that will pass through the VPN pass through the kernel a couple of times.  One pass is for the (unencrypted) traffic to go through the kernel and out through all normal filters / qdisc / classes etc and then get encrypted and loop back through the kernel as encrypted traffic so that it can go through the kernel and out through all normal filters / qdisc / classes etc.  This is exactly what these patches are for.  I personally have not applied these patches, but have read about them in some stopper at some whee hour of the morning.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc