Tom Eastep wrote: > John McMonagle wrote: > >> Have Shorewall 4.2 rc3 running with ifb and looks good so far. >> >> voip is running much better. >> >> Want to make sure I really have it right so have a few questions. >> >> Running ipsec. Will the ifb device packets still be ipsec? >> Using native 2.6 kernel ipsec if it matters. >> I suspect they will be in ipsec so I'll have to set tos. >> > > Yes -- packets will still be encapsulated. > Did a couple tests. Looks like both the the ipsec and the decoded packets are on ifb device. tcpdump -i ifb0 -n -v 10:08:44.540738 IP (tos 0x0, ttl 50, id 61685, offset 0, flags [none], proto ESP (50), length 120) 24.166.158.227 > 69.128.2.138: ESP(spi=0x4add7161,seq=0x7f7), length 100 10:08:44.540940 IP (tos 0x10, ttl 63, id 52086, offset 0, flags [DF], proto TCP (6), length 52) 192.168.101.5.55983 > 192.168.1.254.22: ., cksum 0xd61e (correct), ack 15393 win 501 < op,nop,timestamp 2957075 132418302>
The traffic from 192.168.101.5 is coming in via ipsec. Further with traffic shaping enabled speed via ipsec is about half the speed as direct. With traffic shaping off speeds are about the same. Rather nasty as most traffic goes through ipsec. Any ideas? The only thing I can think of is switch to klips. Probably time to inquire on lartc. John -- John McMonagle IT Manager Advocap Inc. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
