Thread: Ipsec and altq
View Single Post
  #1   (View Single Post)  
Old 21st June 2013
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 20
Default Ipsec and altq

I have configuration as follows:

NET_A 192.168.20.0/24--|BSD_A 10.20.10.60|=======|10.20.10.20 BSD_B|--NET_B 192.168.10.0/24

IPsec on BSD_A as (and similar on BSD_B):

ike esp from $NET_A to $NET_B local 10.20.10.60 peer 10.20.10.20 \
main auth hmac-sha2-512 enc aes-256 group modp1024 \
quick auth hmac-sha2-512 enc aes-256 group modp1024

routing, x509, IPsec and PF working fine

I want to prioritize IPsec ie ESP traffic, so on BSD_A:

.... something usualy.....

ext-if=em0 # interface IP=10.20.10.60

altq on $ext_if cbq bandwidth 2Mb queue { data_all, data_ipsec }
queue data_all bandwidth 50% priority 0 cbq(default ecn)
queue data_ipsec bandwidth 50% cbq(red)

..........

block log on $ext_if

# pass ESP, ISAKMP
pass out on $ext_if inet proto udp from any to any port=isakmp
pass in on $ext_if inet proto udp from any to any port=isakmp

pass out on $ext_if inet proto esp from any to any queue data_ipsec
pass in on $ext_if inet proto esp from any to any

pass other proto....

So, I can see, prioritization is working here and there.

priorization is not working if on BSD_A I have:
pfctl -ss -vv
all esp 10.20.10.60 <- 10.20.10.20 MULTIPLE:MULTIPLE

i.e. pf "see" ESP as connection from BSD_B to BSD_A
all ESP from A to B packets (they must go into que) are just pass
as part of "keep state" on inbound connection,
this packet are not evaluated in pass rule, and are not part of data_ipsec que

priorization is working if:
pfctl -ss -vv
all esp 10.20.10.60 -> 10.20.10.20 MULTIPLE:MULTIPLE

That behaviour is random, sometimes BSD recognize IPsec as A->B,
then again, after restar maybe it is B->A, I cant force it.

In this moment, I solved problem (on BSD_A) as (use NO STATE):

pass in on $ext_if inet proto esp from any to any no state
pass out on $ext_if inet proto esp from any to any queue data_ipsec

So, state is not created on inbound ESP packet, but allways on outgoing ESP packet

Is is OK? Some smarter solution? Any sugestion?

Igy
Reply With Quote