HTB, IPSec, fw mark

HTB, IPSec, fw mark

[Bob Miller]

Hello,

I read a few posts that it is possible to mark a packet with iptables, 
and then shape it as it leaves on an ipsec tunnel.  So far I am having 
limited success with the idea.

I am using libreswan with netkey.  I tried marking the packets in 
mangle/PREROUTING, but I had zero joy with that; I suspect that when the 
kernel does its netkey magic the mark is lost.  I tried marking at a 
number of other spots in the nfpacket flow, I only got results at 
mange/POSTROUTING.  But it doesn't seem to grab all the packets.

I have 6 remote users on the vpn, I give each of them a mark based on 
the IP address they get, and I mark all non-vpn packets with a 7th mark. 
  I set up 7 classes to match each mark.  I determine by the command 
`watch -n 1 -d tc -s class show dev eth0` that some packets do go 
through each class, but it is only a very small percentage of them 
(after watching it for a while now I suspect it is initial syn packets). 
  The rest all go into the 7th non-vpn class, even though I can log the 
packets marked to go to one of the vpn users.

So I am wondering if I have missed a piece of the theory, or if what I 
am trying to accomplish just isn't possible.  Perhaps it would be better 
to setup a class based on src/dst port 500, but I would like to 
guarantee each vpn user a fair share of the limited bandwidth (which I 
think pretty much requires a separate class for each user), and I am not 
sure how that can be accomplished with dynamic remote addresses.

comments or suggestions would be highly appreciated...
-- 
Computerisms
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca