Hi all, I want to make bandwidth management with CBQ (iproute2) There is no problem to manage service like FTP, HTTP,... We have an IPSEC VPN here, and I don''t know how to reconignize IPSEC packets to manage the VPN bandwith. Is there a special port or something in the IP packet header that tells "here is an IPSEC packet" ? Thanks, ------------------------------------------------ Franck BALAZOT (fbalazot@aeta.fr) AETA.COM 361, Avenue du Général De Gaulle 92140 CLAMART FRANCE Tél:01.41.36.12.93 ------------------------------------------------
On Mon, Jul 09, 2001 at 04:30:37PM +0200, Franck BALAZOT wrote:> Hi all, > > I want to make bandwidth management with CBQ (iproute2) > There is no problem to manage service like FTP, HTTP,... > We have an IPSEC VPN here, and I don''t know how to reconignize IPSEC > packets to manage the VPN bandwith. > Is there a special port or something in the IP packet header that tells > "here is an IPSEC packet" ? >Yep, ipsec normally uses IP Protocol 50 or 51 depending on other factors... These numbers aren''t ports, but protocols on the same level of tcp and udp. ipchains -A input -m 1 -p 50 (or some such...) Mike
Franck BALAZOT wrote:> Hi all, > > I want to make bandwidth management with CBQ (iproute2) > There is no problem to manage service like FTP, HTTP,... > We have an IPSEC VPN here, and I don''t know how to reconignize IPSEC > packets to manage the VPN bandwith. > Is there a special port or something in the IP packet header that tells > "here is an IPSEC packet" ? > > Thanks, > ------------------------------------------------ > Franck BALAZOT (fbalazot@aeta.fr) > AETA.COM > 361, Avenue du Général De Gaulle > 92140 CLAMART > FRANCE > Tél:01.41.36.12.93 > ------------------------------------------------ > > _______________________________________________ > LARTC mailing list / LARTC@mailman.ds9a.nl > http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/Hi, From what I remember, IPSec use port 500 TCP for IKE & protocol-ids for IPSec trafic are 50 (ESP) / 51 (AH) (stored in IP Header). This should allow you to recognize the IPSec traffic with u32 filters. Hope this help ! Later, Raffaele. -- ____________________________________________________________________________ Raffaele Brancaleoni Email : s940195@student.ulg.ac.be Licence en Informatique Université de Liège - Belgique ____________________________________________________________________________