AW: AW: [LARTC] qos inside ipsec tunnel
Martin Bene
martin.bene at icomedias.com
Sat Nov 4 07:09:23 CET 2006
Hi Mohan,
> > What should work is to mark the packets in PREROUTING in the mangle
> > table and assign them to the classes you want based on the fwmark:
> Has anyone tested this? Does the mark get carried across
> encapsulations or is the packet context a new one on
> encapsulation?
Yes, I have tested this. The fwmark is preserved/copied to the encrypted
packet. I've set up a test system using 4 virtual machines in a vmware
environment to give me two ipsec routers and a seperate client for each
:-)
> I know that IPSec RFC says inner packet
> headers have to be copied to the outer header.
> Does that include the TOS byte too? Do not know what OpenSWAN
> does. If that were the case, assigning TOS prior to
> encapsulation and classifying by TOS at the device will work.
Openswan shouldn't come into the picuture in this case: original poster
isn't using the openswan ipsec stack (klips), just the userspace tools,
so we're just dealing with the standard/in-kernel ipsec implementation.
I haven't tried setting/classifying by tos - I'm happy with the fwmark
method.
Bye, Martin
More information about the LARTC
mailing list