IPSEC cannot be shaped (yet).

Scott

On 12/7/05, John Cianfarani <jcianfarani-bJEeYj9oJeDQT0dZR+***@public.gmane.org> wrote:
>
>
>
> If you build the traffic shaping rules for lan->wan will it treat traffic
> destined to an IPsec tunnel as a part of that? Essentially I'm just looking
> to give priority to VoIP traffic anything else would be below that. Even if
> it could be done on the LAN interface regardless of destination.
>
>
>
> Thanks
>
> John
>
>

It would be a pfSense<->pfSense ESP - IPSec tunnel.

I was also wonder if you could even shape everything out of the Lan port
regardless of destination (wan,ipsec,dmz).

Thanks
John

-----Original Message-----
From: Dan Swartzendruber [mailto:dswartz-AOn2nhsKJLXQT0dZR+***@public.gmane.org]
Sent: Thursday, December 08, 2005 12:27 AM
To: support-***@public.gmane.org
Subject: Re: [pfSense Support] Traffic Shaper / IPSec

At 11:29 PM 12/7/2005, you wrote:
>IPSEC cannot be shaped (yet).

yes and no. ESP/AH, no, but if you're doing nat-traversal, that's
encapsulated in UDP packets, so that would work, no?

>Scott
>
>On 12/7/05, John Cianfarani <jcianfarani-bJEeYj9oJeDQT0dZR+***@public.gmane.org> wrote:
> >
> >
> >
> > If you build the traffic shaping rules for lan->wan will it treat
traffic
> > destined to an IPsec tunnel as a part of that? Essentially I'm just
looking
> > to give priority to VoIP traffic anything else would be below
> that. Even if
> > it could be done on the LAN interface regardless of destination.






---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe-***@public.gmane.org
For additional commands, e-mail: support-help-***@public.gmane.org

Trying to see if there would be some solution to this problem without
putting a second pfsense box behind to do the shaping.



I took a read of the m0n0wall list where this seemed to be discused and
one idea seemed fairly plausible.

Create 2 IPSec tunnels 1 voice 1 data and shape those independantly?



Here are my thoughts:

* My central site has multiple static wan IP's so I could build
the tunnels to different IP's.
* On the remote pfsense I could create 2 rules/queues in the
traffic shaper and shape based on the destination IP. (one tunnel having
higher priority)
* Routing traffic properly over these two tunnels could get a bit
tricky.
* The central side has a 192.168.1.0/24 block, I could pretend it
was split it into 2x /25's and put 192.168.1.0/25 and 192.168.1.128/25
as the destinations lan for the remote tunnel.
* I could do something similar or some other ip trickery to make
the wan side go back to the correct tunnels.



My only concern here is if ipsec traffic as a whole could be shaped like
this?





Sorry for keeping on this topic,

John

________________________________

From: John Cianfarani
Sent: Wednesday, December 07, 2005 10:52 PM
To: support-***@public.gmane.org
Subject: [pfSense Support] Traffic Shaper / IPSec



If you build the traffic shaping rules for lan->wan will it treat
traffic destined to an IPsec tunnel as a part of that? Essentially I'm
just looking to give priority to VoIP traffic anything else would be
below that. Even if it could be done on the LAN interface regardless of
destination.



Thanks

John