All of lore.kernel.org
 help / color / mirror / Atom feed
* [LARTC] Limit bandwidth for ipsec vpns
@ 2002-08-19 16:29 Emmanuel Lacour
  2002-08-19 17:01 ` Stef Coene
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Emmanuel Lacour @ 2002-08-19 16:29 UTC (permalink / raw)
  To: lartc

Hi everybody,


Is there anyone having an idea on how to limit bandwidth on a linux gw
doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on
interface ppp0, limiting vpn traffic (esp) to 512kbit and internet
traffic (non vpn) to 512kbit.


Thanks in advance!

Manu.


-- 
Easter-eggs                                Spécialiste GNU/Linux
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37    -     Fax: +33 (0) 1 41 35 00 76
mailto:elacour@easter-eggs.com   -    http://www.easter-eggs.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [LARTC] Limit bandwidth for ipsec vpns
  2002-08-19 16:29 [LARTC] Limit bandwidth for ipsec vpns Emmanuel Lacour
@ 2002-08-19 17:01 ` Stef Coene
  2002-08-19 18:28 ` Michael T. Babcock
  2002-08-20 15:56 ` Emmanuel Lacour
  2 siblings, 0 replies; 4+ messages in thread
From: Stef Coene @ 2002-08-19 17:01 UTC (permalink / raw)
  To: lartc

On Monday 19 August 2002 18:29, Emmanuel Lacour wrote:
> Hi everybody,
>
>
> Is there anyone having an idea on how to limit bandwidth on a linux gw
> doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on
> interface ppp0, limiting vpn traffic (esp) to 512kbit and internet
> traffic (non vpn) to 512kbit.
>
>
> Thanks in advance!
More info about shaping can be found on www.lartc.org.  And I have some extra 
information on www.docum.org.

You have to add a cbq or htb qdisc to your interfaces and create 2 classes.  
One for vpn traffic and one for non vpn traffic.  I hope that you use fixed 
ports for the vpn traffic so you can use the dst/src port as a filter key.  
You can share the same 1mbit or you can limit each class to 512kbit.

Stef

-- 

stef.coene@docum.org
 "Using Linux as bandwidth manager"
     http://www.docum.org/
     #lartc @ irc.oftc.net
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [LARTC] Limit bandwidth for ipsec vpns
  2002-08-19 16:29 [LARTC] Limit bandwidth for ipsec vpns Emmanuel Lacour
  2002-08-19 17:01 ` Stef Coene
@ 2002-08-19 18:28 ` Michael T. Babcock
  2002-08-20 15:56 ` Emmanuel Lacour
  2 siblings, 0 replies; 4+ messages in thread
From: Michael T. Babcock @ 2002-08-19 18:28 UTC (permalink / raw)
  To: lartc

On Mon, Aug 19, 2002 at 07:01:32PM +0200, Stef Coene wrote:
> > Is there anyone having an idea on how to limit bandwidth on a linux gw
> > doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on
> > interface ppp0, limiting vpn traffic (esp) to 512kbit and internet
> > traffic (non vpn) to 512kbit.
> More info about shaping can be found on www.lartc.org.  And I have some extra 
> information on www.docum.org.
> 
> You have to add a cbq or htb qdisc to your interfaces and create 2 classes.  
> One for vpn traffic and one for non vpn traffic.  I hope that you use fixed 
> ports for the vpn traffic so you can use the dst/src port as a filter key.  
> You can share the same 1mbit or you can limit each class to 512kbit.

If FreeS/WAN is used, adding a pair of classes to the external interface
for 'normal' and 'VPN' traffic should suffice.  VPN traffic is identifiable
as traffic over UDP port 500 and protocols 50 or 51, although you may wish
to give them their own class with high priority as they do key exchanges.

If you gave each 512kbps, then add a root class to ipsec0 of 512kbps and
work from there on it.
-- 
Michael T. Babcock
CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
http://www.fibrespeed.net/~mbabcock/
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [LARTC] Limit bandwidth for ipsec vpns
  2002-08-19 16:29 [LARTC] Limit bandwidth for ipsec vpns Emmanuel Lacour
  2002-08-19 17:01 ` Stef Coene
  2002-08-19 18:28 ` Michael T. Babcock
@ 2002-08-20 15:56 ` Emmanuel Lacour
  2 siblings, 0 replies; 4+ messages in thread
From: Emmanuel Lacour @ 2002-08-20 15:56 UTC (permalink / raw)
  To: lartc

On Mon, Aug 19, 2002 at 02:28:34PM -0400, Michael T. Babcock wrote:
> On Mon, Aug 19, 2002 at 07:01:32PM +0200, Stef Coene wrote:
> > > Is there anyone having an idea on how to limit bandwidth on a linux gw
> > > doing vpns with freeswan, I.E. for a 1Mbit line with 1 ipsec tunnel on
> > > interface ppp0, limiting vpn traffic (esp) to 512kbit and internet
> > > traffic (non vpn) to 512kbit.
> > More info about shaping can be found on www.lartc.org.  And I have some extra 
> > information on www.docum.org.
> > 
> > You have to add a cbq or htb qdisc to your interfaces and create 2 classes.  
> > One for vpn traffic and one for non vpn traffic.  I hope that you use fixed 
> > ports for the vpn traffic so you can use the dst/src port as a filter key.  
> > You can share the same 1mbit or you can limit each class to 512kbit.
> 
> If FreeS/WAN is used, adding a pair of classes to the external interface
> for 'normal' and 'VPN' traffic should suffice.  VPN traffic is identifiable
> as traffic over UDP port 500 and protocols 50 or 51, although you may wish
> to give them their own class with high priority as they do key exchanges.


Thanks, I tried with marking packet with netfilter, but here is one of
my pbms, I can mark esp proto but not non-esp proto:

# This works
# Marking outgoing vpn packets
iptables -t mangle -A OUTPUT -o $IFEXT -p esp -j MARK --set-mark 29
iptables -t mangle -A OUTPUT -o $IFEXT -p udp --dport 500 -j MARK
--set-mark 29

# This doesn't works!!
# Marking outgoing non-vpn packets 
iptables -t mangle -A OUTPUT -o $IFEXT -p ! esp -j MARK --set-mark 39

Any Idea??

> 
> If you gave each 512kbps, then add a root class to ipsec0 of 512kbps and
> work from there on it.
> -- 
> Michael T. Babcock
> CTO, FibreSpeed Ltd.     (Hosting, Security, Consultation, Database, etc)
> http://www.fibrespeed.net/~mbabcock/
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

-- 
Easter-eggs                                Spécialiste GNU/Linux
44-46 rue de l'Ouest  -  75014 Paris   -   France -  Métro Gaité
Phone: +33 (0) 1 43 35 00 37    -     Fax: +33 (0) 1 41 35 00 76
mailto:elacour@easter-eggs.com   -    http://www.easter-eggs.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-08-20 15:56 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-08-19 16:29 [LARTC] Limit bandwidth for ipsec vpns Emmanuel Lacour
2002-08-19 17:01 ` Stef Coene
2002-08-19 18:28 ` Michael T. Babcock
2002-08-20 15:56 ` Emmanuel Lacour

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.