[LARTC] OpenSwan traffic shaping with HTB & sfq

[LARTC] OpenSwan traffic shaping with HTB & sfq

[Lewis Shobbrook]

Hi All,

I've got an interoffice IPSEC VPN in place that I'm trying to give
priority to terminal service (tcp 3389) traffic.
I've created rules at each end, but have hit a bit of a dillemma.  As
the data is encrypted I must also give highest priority to protocol 50
otherwise the priority is lost as the packet gets encrypted.  
When I do this however, I can't slow people dragging large files across
the VPN and disrupting the Terminal users. 
This is an example of some of the rules in place.  I can protect the VPN
traffic from other internet traffic such as email etc, but not from
themselves if you know what I mean.

tc qdisc del dev $NET_IF root
tc qdisc add dev $NET_IF root handle 1: htb default 30

tc class add dev $NET_IF parent 1: classid 1:1 htb rate 512Kbit burst
15Kb
tc class add dev $NET_IF parent 1:1 classid 1:20 htb rate 128Kbit ceil
512Kbit burst 15Kb prio 1
tc class add dev $NET_IF parent 1:1 classid 1:30 htb rate 10Kbit ceil
512Kbit burst 15Kb prio 2

tc qdisc add dev $NET_IF parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $NET_IF parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $NET_IF parent 1:30 handle 30: sfq perturb 10

tc class add dev $NET_IF parent 1:1 classid 1:10 htb rate 512Kbit burst
15Kb prio 0
tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip sport
3389 0xffff flowid 1:10
tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip src
$termserver_ip match ip sport 3389 0xffff flowid 1:10
Etc etc...

Has anyone come across this before and found a solution?

Any suggestions appreciated.

Cheers,

Lewis
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] OpenSwan traffic shaping with HTB & sfq

[Sylvain BERTRAND]

On Mer 4 mai 2005 9:34, Lewis Shobbrook a écrit :
> Hi All,
>
> I've got an interoffice IPSEC VPN in place that I'm trying to give
> priority to terminal service (tcp 3389) traffic.
> I've created rules at each end, but have hit a bit of a dillemma.  As
> the data is encrypted I must also give highest priority to protocol 50
> otherwise the priority is lost as the packet gets encrypted.
> When I do this however, I can't slow people dragging large files across
> the VPN and disrupting the Terminal users.
> This is an example of some of the rules in place.  I can protect the VPN
> traffic from other internet traffic such as email etc, but not from
> themselves if you know what I mean.
>
> tc qdisc del dev $NET_IF root
> tc qdisc add dev $NET_IF root handle 1: htb default 30
>
> tc class add dev $NET_IF parent 1: classid 1:1 htb rate 512Kbit burst
> 15Kb
> tc class add dev $NET_IF parent 1:1 classid 1:20 htb rate 128Kbit ceil
> 512Kbit burst 15Kb prio 1
> tc class add dev $NET_IF parent 1:1 classid 1:30 htb rate 10Kbit ceil
> 512Kbit burst 15Kb prio 2
>
> tc qdisc add dev $NET_IF parent 1:10 handle 10: sfq perturb 10
> tc qdisc add dev $NET_IF parent 1:20 handle 20: sfq perturb 10
> tc qdisc add dev $NET_IF parent 1:30 handle 30: sfq perturb 10
>
> tc class add dev $NET_IF parent 1:1 classid 1:10 htb rate 512Kbit burst
> 15Kb prio 0
> tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip sport
> 3389 0xffff flowid 1:10
> tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip src
> $termserver_ip match ip sport 3389 0xffff flowid 1:10
> Etc etc...
>
> Has anyone come across this before and found a solution?
>
> Any suggestions appreciated.
>
> Cheers,
>
> Lewis
>

I'm not familiar with OpenSwan /per se/, but if you had an intermediate
interface (like ipsec0), you'll be able to apply traffic control first on
the unencrypted TCP packets, and then on the IPSEC packets.
Someone correct me if I'm wrong...

Regards,

Sylvain

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] OpenSwan traffic shaping with HTB & sfq

[Taylor, Grant]

> Hi All,
> 
> I've got an interoffice IPSEC VPN in place that I'm trying to give
> priority to terminal service (tcp 3389) traffic.
> I've created rules at each end, but have hit a bit of a dillemma.  As
> the data is encrypted I must also give highest priority to protocol 50
> otherwise the priority is lost as the packet gets encrypted.  
> When I do this however, I can't slow people dragging large files across
> the VPN and disrupting the Terminal users. 
> This is an example of some of the rules in place.  I can protect the VPN
> traffic from other internet traffic such as email etc, but not from
> themselves if you know what I mean.

I /think/ that there are some patches for OpenS/WAN that change where the traffic passing through the VPN gets encrypted such that you could QoS / TC the traffic for just RDP.  I think this patch works by having the traffic that will pass through the VPN pass through the kernel a couple of times.  One pass is for the (unencrypted) traffic to go through the kernel and out through all normal filters / qdisc / classes etc and then get encrypted and loop back through the kernel as encrypted traffic so that it can go through the kernel and out through all normal filters / qdisc / classes etc.  This is exactly what these patches are for.  I personally have not applied these patches, but have read about them in some stopper at some whee hour of the morning.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc