[strongSwan] Traffic shaping for multiple ipsec clients with Linux tc

Noel Kuntze noel at familie-kuntze.de
Thu Aug 6 05:59:30 CEST 2015

Hash: SHA256

Hello Vitaly,

Okay, I missed the second point regarding the guaranteed bandwidth.
I looked around at lartc.org a bit and found the IMQ article[1]
and the general article about filters[2] relevant to your work.
It is not quite obvious to me how you can achieve your goal the "easy"
way. I think this is how far as I can help you, I haven't touched tc
or traffic shaping in general yet, so this is all unfamiliar ground for me.
Looking at the docs on lartc about traffic shaping is probably the first thing
I would do, followed by sending questions to the mailing list about lartc
for detail questions.

[1] http://lartc.org/howto/lartc.imq.html
[2] http://lartc.org/howto/lartc.qdisc.filters.html

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 06.08.2015 um 05:49 schrieb Vitaly Repin:
> Hello,
> 2015-08-06 6:40 GMT+03:00 Noel Kuntze <noel at familie-kuntze.de>:
>> Why do you want to assign a unique mark to each IP?
>> You can simply create a filter for each type of traffic and then
>> apply QoS to that. There's no obvious need to track
>> each IP's connections seperately. TCP ACKs should be prioritized anyway,
>> together with ICMP, independent of the connection.
>> TCP packets always have the destination and source ports in the headers,
>> so you can tell them apart, too, if needed.
> May be I misunderstand something important.  Let me try to clarify my
> needs again.
> I have N clients connected to VPN server. Every client is assigned a
> different (dynamic) IP. They can connect and disconnect at any time.
> I want to guarantee every client certain bandwidth.  (Not shared by
> all the clients but to EVERY cleint, individually).
> E.g., I want to give bandwidth 64 kbps to client 1. Bandwidth 256 kbps
> to client 2. Etc.
> Inside these bandwidthes, I want to prioritize traffic: e.g., ping ans
> ssh go first, everything else second.
> If I understand right how linux traffic shaping works, in order to
> achieve these results I need to create 2*N classes and create filters
> which direct traffic to specific classes. Or do I miss something?
>> connmark is used if there are IPsec peers behind the same IP and they need to be distinguished.
> Yes. It was my understanding also. Not my case.

Version: GnuPG v2


More information about the Users mailing list