DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 21st June 2013
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 15
Thanked 0 Times in 0 Posts
Default Ipsec and altq

I have configuration as follows:

NET_A 192.168.20.0/24--|BSD_A 10.20.10.60|=======|10.20.10.20 BSD_B|--NET_B 192.168.10.0/24

IPsec on BSD_A as (and similar on BSD_B):

ike esp from $NET_A to $NET_B local 10.20.10.60 peer 10.20.10.20 \
main auth hmac-sha2-512 enc aes-256 group modp1024 \
quick auth hmac-sha2-512 enc aes-256 group modp1024

routing, x509, IPsec and PF working fine

I want to prioritize IPsec ie ESP traffic, so on BSD_A:

.... something usualy.....

ext-if=em0 # interface IP=10.20.10.60

altq on $ext_if cbq bandwidth 2Mb queue { data_all, data_ipsec }
queue data_all bandwidth 50% priority 0 cbq(default ecn)
queue data_ipsec bandwidth 50% cbq(red)

..........

block log on $ext_if

# pass ESP, ISAKMP
pass out on $ext_if inet proto udp from any to any port=isakmp
pass in on $ext_if inet proto udp from any to any port=isakmp

pass out on $ext_if inet proto esp from any to any queue data_ipsec
pass in on $ext_if inet proto esp from any to any

pass other proto....

So, I can see, prioritization is working here and there.

priorization is not working if on BSD_A I have:
pfctl -ss -vv
all esp 10.20.10.60 <- 10.20.10.20 MULTIPLE:MULTIPLE

i.e. pf "see" ESP as connection from BSD_B to BSD_A
all ESP from A to B packets (they must go into que) are just pass
as part of "keep state" on inbound connection,
this packet are not evaluated in pass rule, and are not part of data_ipsec que

priorization is working if:
pfctl -ss -vv
all esp 10.20.10.60 -> 10.20.10.20 MULTIPLE:MULTIPLE

That behaviour is random, sometimes BSD recognize IPsec as A->B,
then again, after restar maybe it is B->A, I cant force it.

In this moment, I solved problem (on BSD_A) as (use NO STATE):

pass in on $ext_if inet proto esp from any to any no state
pass out on $ext_if inet proto esp from any to any queue data_ipsec

So, state is not created on inbound ESP packet, but allways on outgoing ESP packet

Is is OK? Some smarter solution? Any sugestion?

Igy
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
PF ALTQ on 3 NIC's magnesik FreeBSD Security 1 13th August 2011 06:18 AM
ALTQ: CBQ issues Lexus45 OpenBSD General 1 23rd May 2010 02:29 AM
ALTQ Question regarding RudiK FreeBSD Security 4 23rd July 2008 01:59 PM
[PF] Problem with ftp and ALTQ gotian FreeBSD Security 1 22nd July 2008 11:25 PM
Queuing with PF and ALTQ Weaseal FreeBSD Security 1 22nd July 2008 05:18 PM


All times are GMT. The time now is 02:02 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick