LARTC - May 2005 - OpenSwan traffic shaping with HTB & sfq

Hi All,

I''ve got an interoffice IPSEC VPN in place that I''m trying to
give
priority to terminal service (tcp 3389) traffic.
I''ve created rules at each end, but have hit a bit of a dillemma.  As
the data is encrypted I must also give highest priority to protocol 50
otherwise the priority is lost as the packet gets encrypted.  
When I do this however, I can''t slow people dragging large files across
the VPN and disrupting the Terminal users. 
This is an example of some of the rules in place.  I can protect the VPN
traffic from other internet traffic such as email etc, but not from
themselves if you know what I mean.

tc qdisc del dev $NET_IF root
tc qdisc add dev $NET_IF root handle 1: htb default 30

tc class add dev $NET_IF parent 1: classid 1:1 htb rate 512Kbit burst
15Kb
tc class add dev $NET_IF parent 1:1 classid 1:20 htb rate 128Kbit ceil
512Kbit burst 15Kb prio 1
tc class add dev $NET_IF parent 1:1 classid 1:30 htb rate 10Kbit ceil
512Kbit burst 15Kb prio 2

tc qdisc add dev $NET_IF parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev $NET_IF parent 1:20 handle 20: sfq perturb 10
tc qdisc add dev $NET_IF parent 1:30 handle 30: sfq perturb 10

tc class add dev $NET_IF parent 1:1 classid 1:10 htb rate 512Kbit burst
15Kb prio 0
tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip sport
3389 0xffff flowid 1:10
tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip src
$termserver_ip match ip sport 3389 0xffff flowid 1:10
Etc etc...

Has anyone come across this before and found a solution?

Any suggestions appreciated.

Cheers,

Lewis

On Mer 4 mai 2005 9:34, Lewis Shobbrook a écrit :
> Hi All,
>
> I''ve got an interoffice IPSEC VPN in place that I''m
trying to give
> priority to terminal service (tcp 3389) traffic.
> I''ve created rules at each end, but have hit a bit of a dillemma. 
As
> the data is encrypted I must also give highest priority to protocol 50
> otherwise the priority is lost as the packet gets encrypted.
> When I do this however, I can''t slow people dragging large files
across
> the VPN and disrupting the Terminal users.
> This is an example of some of the rules in place.  I can protect the VPN
> traffic from other internet traffic such as email etc, but not from
> themselves if you know what I mean.
>
> tc qdisc del dev $NET_IF root
> tc qdisc add dev $NET_IF root handle 1: htb default 30
>
> tc class add dev $NET_IF parent 1: classid 1:1 htb rate 512Kbit burst
> 15Kb
> tc class add dev $NET_IF parent 1:1 classid 1:20 htb rate 128Kbit ceil
> 512Kbit burst 15Kb prio 1
> tc class add dev $NET_IF parent 1:1 classid 1:30 htb rate 10Kbit ceil
> 512Kbit burst 15Kb prio 2
>
> tc qdisc add dev $NET_IF parent 1:10 handle 10: sfq perturb 10
> tc qdisc add dev $NET_IF parent 1:20 handle 20: sfq perturb 10
> tc qdisc add dev $NET_IF parent 1:30 handle 30: sfq perturb 10
>
> tc class add dev $NET_IF parent 1:1 classid 1:10 htb rate 512Kbit burst
> 15Kb prio 0
> tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip sport
> 3389 0xffff flowid 1:10
> tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip src
> $termserver_ip match ip sport 3389 0xffff flowid 1:10
> Etc etc...
>
> Has anyone come across this before and found a solution?
>
> Any suggestions appreciated.
>
> Cheers,
>
> Lewis
>
I''m not familiar with OpenSwan /per se/, but if you had an intermediate
interface (like ipsec0), you''ll be able to apply traffic control first
on
the unencrypted TCP packets, and then on the IPSEC packets.
Someone correct me if I''m wrong...

Regards,

Sylvain

> Hi All,
> 
> I''ve got an interoffice IPSEC VPN in place that I''m
trying to give
> priority to terminal service (tcp 3389) traffic.
> I''ve created rules at each end, but have hit a bit of a dillemma. 
As
> the data is encrypted I must also give highest priority to protocol 50
> otherwise the priority is lost as the packet gets encrypted.  
> When I do this however, I can''t slow people dragging large files
across
> the VPN and disrupting the Terminal users. 
> This is an example of some of the rules in place.  I can protect the VPN
> traffic from other internet traffic such as email etc, but not from
> themselves if you know what I mean.
I /think/ that there are some patches for OpenS/WAN that change where the
traffic passing through the VPN gets encrypted such that you could QoS / TC the
traffic for just RDP.  I think this patch works by having the traffic that will
pass through the VPN pass through the kernel a couple of times.  One pass is for
the (unencrypted) traffic to go through the kernel and out through all normal
filters / qdisc / classes etc and then get encrypted and loop back through the
kernel as encrypted traffic so that it can go through the kernel and out through
all normal filters / qdisc / classes etc.  This is exactly what these patches
are for.  I personally have not applied these patches, but have read about them
in some stopper at some whee hour of the morning.



Grant. . . .

on 2.6 kernel''s using KAME, there in no concept of extra
''ipsecX''
interfaces, what are you supposed to do then? I presume you treat it
as you would any other traffic? the ipsec tunnel should be
transparent!?

correct me if I''m wrong


On 5/4/05, Sylvain BERTRAND <sylvain@2001-space-odyssey.net>
wrote:
> On Mer 4 mai 2005 9:34, Lewis Shobbrook a écrit :
> > Hi All,
> >
> > I''ve got an interoffice IPSEC VPN in place that I''m
trying to give
> > priority to terminal service (tcp 3389) traffic.
> > I''ve created rules at each end, but have hit a bit of a
dillemma.  As
> > the data is encrypted I must also give highest priority to protocol 50
> > otherwise the priority is lost as the packet gets encrypted.
> > When I do this however, I can''t slow people dragging large
files across
> > the VPN and disrupting the Terminal users.
> > This is an example of some of the rules in place.  I can protect the
VPN
> > traffic from other internet traffic such as email etc, but not from
> > themselves if you know what I mean.
> >
> > tc qdisc del dev $NET_IF root
> > tc qdisc add dev $NET_IF root handle 1: htb default 30
> >
> > tc class add dev $NET_IF parent 1: classid 1:1 htb rate 512Kbit burst
> > 15Kb
> > tc class add dev $NET_IF parent 1:1 classid 1:20 htb rate 128Kbit ceil
> > 512Kbit burst 15Kb prio 1
> > tc class add dev $NET_IF parent 1:1 classid 1:30 htb rate 10Kbit ceil
> > 512Kbit burst 15Kb prio 2
> >
> > tc qdisc add dev $NET_IF parent 1:10 handle 10: sfq perturb 10
> > tc qdisc add dev $NET_IF parent 1:20 handle 20: sfq perturb 10
> > tc qdisc add dev $NET_IF parent 1:30 handle 30: sfq perturb 10
> >
> > tc class add dev $NET_IF parent 1:1 classid 1:10 htb rate 512Kbit
burst
> > 15Kb prio 0
> > tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip sport
> > 3389 0xffff flowid 1:10
> > tc filter add dev $NET_IF protocol ip parent 1:0 prio 1 match ip src
> > $termserver_ip match ip sport 3389 0xffff flowid 1:10
> > Etc etc...
> >
> > Has anyone come across this before and found a solution?
> >
> > Any suggestions appreciated.
> >
> > Cheers,
> >
> > Lewis
> >
> 
> I''m not familiar with OpenSwan /per se/, but if you had an
intermediate
> interface (like ipsec0), you''ll be able to apply traffic control
first on
> the unencrypted TCP packets, and then on the IPSEC packets.
> Someone correct me if I''m wrong...
> 
> Regards,
> 
> Sylvain
> 
> _______________________________________________
> Users mailing list
> Users@openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

Hi,

On 5/6/05, lee huughes <toxicnaan@gmail.com>
wrote:
> on 2.6 kernel''s using KAME, there in no concept of extra
''ipsecX''
> interfaces, what are you supposed to do then? I presume you treat it
> as you would any other traffic? the ipsec tunnel should be
> transparent!?
> 
> correct me if I''m wrong
What I do is MARK the packets in PREROUTING and then the firewall mark
stays with the packet even once it is encrypted. You can then queue it
as needed either using CLASSIFY in the POSTROUTING or using tc to
filter it.


Regards.

Abdul-Wahid