On Wed, 4 Mar 2015, Bob Miller wrote:
I have been investigating the last few days about getting qos to work on a libreswan firewall. it has a limited upload speed, and two subnets behind it in addition to the vpn subnet, and all 3 groups are getting shutdown from time to time due to activity of the others.
What do you mean with "shutdown"? Do you mean the dpd/liveness probes are restarting tunnels? Or you just mean "flooded and locked out" ?
I read in several places that one can mark packets in iptables and tc will recognize them after encapsulation. However, after quite a bit of experimentation, such as placing the mark at various locations in the tables/chains of iptables, matching esp/udp protocol, or the ip of the internal server or the vpn users, or matching the encrypted packets with dst port 4500, etc., I am finding that the mark either doesn't stay put, or tc matches very little of the marked traffic.
In theory that should work, but any hop can remove any qos bits, so it all depends on the network path too.
So since iptables isn't really working out for me, I am wondering if there are other options or methods. I note xl2tpd has an rx/tx bps, but it sets a maximum and not a minimum, so not quite what I am looking for. I also note mention of qos in klips patches in the source code for libreswan, but seems for older kernels and I am not sure I want to convert to klips. Is there some cool tool built into libreswan that I am not finding, or a recommended method documented somewhere to use tc in conjunction with libreswan?
I'd stay away from xl2tpd/pppd. That's just adding another layer and adding mtu issues. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
