Ipsec and altq

[igy01]

I have configuration as follows:

NET_A 192.168.20.0/24--|BSD_A 10.20.10.60|=======|10.20.10.20 BSD_B|--NET_B 192.168.10.0/24

IPsec on BSD_A as (and similar on BSD_B):

ike esp from $NET_A to $NET_B local 10.20.10.60 peer 10.20.10.20 \
main auth hmac-sha2-512 enc aes-256 group modp1024 \
quick auth hmac-sha2-512 enc aes-256 group modp1024

routing, x509, IPsec and PF working fine

I want to prioritize IPsec ie ESP traffic, so on BSD_A:

.... something usualy.....

ext-if=em0 # interface IP=10.20.10.60

altq on $ext_if cbq bandwidth 2Mb queue { data_all, data_ipsec }
queue data_all bandwidth 50% priority 0 cbq(default ecn)
queue data_ipsec bandwidth 50% cbq(red)

..........

block log on $ext_if

# pass ESP, ISAKMP
pass out on $ext_if inet proto udp from any to any port=isakmp
pass in on $ext_if inet proto udp from any to any port=isakmp

pass out on $ext_if inet proto esp from any to any queue data_ipsec
pass in on $ext_if inet proto esp from any to any

pass other proto....

So, I can see, prioritization is working here and there.

priorization is not working if on BSD_A I have:
pfctl -ss -vv
all esp 10.20.10.60 <- 10.20.10.20 MULTIPLE:MULTIPLE

i.e. pf "see" ESP as connection from BSD_B to BSD_A
all ESP from A to B packets (they must go into que) are just pass
as part of "keep state" on inbound connection,
this packet are not evaluated in pass rule, and are not part of data_ipsec que

priorization is working if:
pfctl -ss -vv
all esp 10.20.10.60 -> 10.20.10.20 MULTIPLE:MULTIPLE

That behaviour is random, sometimes BSD recognize IPsec as A->B,
then again, after restar maybe it is B->A, I cant force it.

In this moment, I solved problem (on BSD_A) as (use NO STATE):

pass in on $ext_if inet proto esp from any to any no state
pass out on $ext_if inet proto esp from any to any queue data_ipsec

So, state is not created on inbound ESP packet, but allways on outgoing ESP packet

Is is OK? Some smarter solution? Any sugestion?

Igy

[jggimi]

Queuing only functions on outbound traffic. From your post, it appears to me that you are concerned that inbound traffic is not queuing. It can't. Did I misunderstand?

You also have Random Early Detection enabled for your IPSec traffic, which seems odd to me. RED is 1) designed to manage TCP congestion with multiple connections and this is ESP traffic between two gateways, and 2) it functions by dropping inbound packets when outbound queues reach thresholds you do not control.

[igy01]

I know Queuing work only on outbound traffic. I did not try to use queuing on inbound traffic.

But, if BSD_A router "see" ESP "connection" as inbound:

pfctl -ss -vv
all esp A <- B

then outgoing ESP packet (from A to B) are not in a gue, I can prove that as:
pfctl -sq -vv

but, if:
pfctl -ss -vv
all esp A -> B

then outgoing data pass in que

And, of course, I dont need RED, but everything is working with or without RED in a same way.

[jggimi]

Ah, thank you for the clarification. I will restate the problem, to ensure I understand:

An inbound packet that establishes a state will not have outbound packets assigned to the tagged queue, as state was established without a tagged queue.

Perhaps, all that is needed is:

Code:

pass out on $ext_if inet proto esp from any to any queue data_ipsec
pass in on $ext_if inet proto esp from any to any queue data_ipsec

The state will then be established with the assigned tag. Of course, on inbound traffic there won't be anything to queue.

[igy01]

Thank you jggimi,
you answer is completely right, and help me a lot

Source of my wrong configuration is misunderstanding of "keep state". I thought, if there is keep state (by default), then it is not necessery put queue on every line. All that (packets in and out) is part of the same state. Obviously, it is not....

thanks!

[jggimi]

To be clear, you are queueing ESP packets. This is stateless traffic.