[strongSwan] Traffic shaping for multiple ipsec clients with Linux tc

Vitaly Repin vitaly_repin at fsfe.org
Thu Aug 6 05:49:27 CEST 2015


2015-08-06 6:40 GMT+03:00 Noel Kuntze <noel at familie-kuntze.de>:

> Why do you want to assign a unique mark to each IP?
> You can simply create a filter for each type of traffic and then
> apply QoS to that. There's no obvious need to track
> each IP's connections seperately. TCP ACKs should be prioritized anyway,
> together with ICMP, independent of the connection.
> TCP packets always have the destination and source ports in the headers,
> so you can tell them apart, too, if needed.

May be I misunderstand something important.  Let me try to clarify my
needs again.

I have N clients connected to VPN server. Every client is assigned a
different (dynamic) IP. They can connect and disconnect at any time.

I want to guarantee every client certain bandwidth.  (Not shared by
all the clients but to EVERY cleint, individually).

E.g., I want to give bandwidth 64 kbps to client 1. Bandwidth 256 kbps
to client 2. Etc.
Inside these bandwidthes, I want to prioritize traffic: e.g., ping ans
ssh go first, everything else second.

If I understand right how linux traffic shaping works, in order to
achieve these results I need to create 2*N classes and create filters
which direct traffic to specific classes. Or do I miss something?

> connmark is used if there are IPsec peers behind the same IP and they need to be distinguished.

Yes. It was my understanding also. Not my case.

WBR & WBW, Vitaly

More information about the Users mailing list