Hi,
I would like to set up a network with IPSEC over diffserv.
I use five computers to setup the network.
A ----- B ----- C ----- D ----- E
eth0 eth1
B and D are freeswan gateway and the setup is subnet-subnet that protect A
and E respectively. This set up is working fine.
iproute2 use B and D as the edge for coloring the packet (DCSP values).
D is the linux core router. TC is working fine before I start the
ipsec tunnel. (i.e can mark the packet at the outgoing interface at B)
Once I start freeSWAN, the packet at outgoing interface at B can not set
any more. I try to use the src address at A to identify and color all the
packets form A.
I guess there is conflict between freeSWAN and TC.
Therefore, I try to color the packet at eth0 at B and let the ipsec and TC
at eth1, is it possible?
Does anybody has any methods that can run ipsec over diffserv?
Attach is the script at edge,
echo Set up Diffserv in edge router Frodo
# Path
TC=/home/tong/iproute2/tc/tc
echo Clean all the tc setup
$TC qdisc del dev eth1 root
# Network devices
INDEV=eth0
DEV=eth1
LINKCAP=2000000
# Configured bandwidth
EFRATE=250000
AF1xRATE=125000
AF2xRATE=125000
AF3xRATE=125000
AF4xRATE=125000
# Queue sizes
EFLIMIT=7500
AF1ThMin=2KB
AF1ThMax=6KB
AF1LIMIT=10KB
AF2ThMin=2KB
AF2ThMax=6KB
AF2LIMIT=10KB
AF3ThMin=2KB
AF3ThMax=6KB
AF3LIMIT=10KB
AF4ThMin=2KB
AF4ThMax=6KB
AF4LIMIT=10KB
BELIMIT=20KB
# AF PHB GRED loss priorities
AF11PROB=0.02
AF12PROB=0.04
AF13PROB=0.08
AF21PROB=0.02
AF22PROB=0.04
AF23PROB=0.08
AF31PROB=0.02
AF32PROB=0.04
AF33PROB=0.08
AF41PROB=0.02
AF42PROB=0.04
AF43PROB=0.08
# Allowed average sized packet burst for AF
AF1BURST=4
AF2BURST=4
AF3BURST=4
AF4BURST=4
# RED parameters for BE traffic
BEThMin=4KB
BEThMax=15KB
BEPROB=0.04
BEBURST=6
AVPKT=1000
MTU=1500
L2HLEN=8
MPU=48
# Policing
EFPR=245000
EFPB=6KB
AF11PR=125000
AF12PR=150000
AF13PR=200000
AF1PB=8KB
AF21PR=125000
AF22PR=150000
AF23PR=200000
AF2PB=8KB
AF31PR=125000
AF32PR=150000
AF33PR=200000
AF3PB=8KB
AF41PR=125000
AF42PR=150000
AF43PR=200000
AF4PB=8KB
case "$1" in
start)
MTU2=$[$MTU + $L2HLEN]
AFRATE=$[$AF1xRATE + $AF2xRATE + $AF3xRATE + $AF4xRATE]
BERATE=$[$LINKCAP - $EFRATE - $AFRATE]
if [ $BERATE -lt 0 ]; then
echo Too much bandwidth reserved for EF/AF
exit 1
fi
# qdiscs and classes
$TC qdisc add dev $DEV handle 1:0 root dsmark indices 128 default_index 1
$TC qdisc add dev $DEV parent 1:0 handle 2:0 cbq bandwidth $LINKCAP avpkt
$AVPKT
# EF
$TC class add dev $DEV parent 2:0 classid 2:5 cbq bandwidth $LINKCAP rate
$EFRATE avpkt $AVPKT allot $MTU2 mpu $MPU prio 1
#ip link set dev $DEV mtu $MTU
$TC qdisc add dev $DEV parent 2:5 handle 25:0 tbf limit $EFLIMIT rate
$EFRATE burst $MTU2 mtu $MTU2 mpu $MPU
# AF1
$TC class add dev $DEV parent 2:0 classid 2:1 cbq bandwidth $LINKCAP rate
$AF1xRATE avpkt $AVPKT allot $MTU2 mpu $MPU prio 2
$TC qdisc add dev $DEV parent 2:1 handle 21:0 gred setup DPs 3 default 2
grio
$TC qdisc change dev $DEV parent 2:1 handle 21:0 gred limit $AF1LIMIT min
$AF1ThMin max $AF1ThMax avpkt $AVPKT burst $AF1BURST bandwidth $LINKCAP DP
1 probability $AF11PROB prio 2
$TC qdisc change dev $DEV parent 2:1 handle 21:0 gred limit $AF1LIMIT min
$AF1ThMin max $AF1ThMax avpkt $AVPKT burst $AF1BURST bandwidth $LINKCAP DP
2 probability $AF12PROB prio 3
$TC qdisc change dev $DEV parent 2:1 handle 21:0 gred limit $AF1LIMIT min
$AF1ThMin max $AF1ThMax avpkt $AVPKT burst $AF1BURST bandwidth $LINKCAP DP
3 probability $AF13PROB prio 4
# AF2
$TC class add dev $DEV parent 2:0 classid 2:2 cbq bandwidth $LINKCAP rate
$AF2xRATE avpkt $AVPKT allot $MTU2 mpu $MPU prio 2
$TC qdisc add dev $DEV parent 2:2 handle 22:0 gred setup DPs 3 default 2
grio
$TC qdisc change dev $DEV parent 2:2 handle 22:0 gred limit $AF2LIMIT min
$AF2ThMin max $AF2ThMax avpkt $AVPKT burst $AF2BURST bandwidth $LINKCAP DP
1 probability $AF21PROB prio 2
$TC qdisc change dev $DEV parent 2:2 handle 22:0 gred limit $AF2LIMIT min
$AF2ThMin max $AF2ThMax avpkt $AVPKT burst $AF2BURST bandwidth $LINKCAP DP
2 probability $AF22PROB prio 3
$TC qdisc change dev $DEV parent 2:2 handle 22:0 gred limit $AF2LIMIT min
$AF2ThMin max $AF2ThMax avpkt $AVPKT burst $AF2BURST bandwidth $LINKCAP DP
3 probability $AF23PROB prio 4
# AF3
$TC class add dev $DEV parent 2:0 classid 2:3 cbq bandwidth $LINKCAP rate
$AF3xRATE avpkt $AVPKT allot $MTU2 mpu $MPU prio 2
$TC qdisc add dev $DEV parent 2:3 handle 23:0 gred setup DPs 3 default 2
grio
$TC qdisc change dev $DEV parent 2:3 handle 23:0 gred limit $AF3LIMIT min
$AF3ThMin max $AF3ThMax avpkt $AVPKT burst $AF3BURST bandwidth $LINKCAP
DP 1 probability $AF31PROB prio 2
$TC qdisc change dev $DEV parent 2:3 handle 23:0 gred limit $AF3LIMIT min
$AF3ThMin max $AF3ThMax avpkt $AVPKT burst $AF3BURST bandwidth $LINKCAP DP
2 probability $AF32PROB prio 3
$TC qdisc change dev $DEV parent 2:3 handle 23:0 gred limit $AF3LIMIT min
$AF3ThMin max $AF3ThMax avpkt $AVPKT burst $AF3BURST bandwidth $LINKCAP DP
3 probability $AF33PROB prio 4
# AF4
$TC class add dev $DEV parent 2:0 classid 2:4 cbq bandwidth $LINKCAP rate
$AF4xRATE avpkt $AVPKT allot $MTU2 mpu $MPU prio 2
$TC qdisc add dev $DEV parent 2:4 handle 24:0 gred setup DPs 3 default 2
grio
$TC qdisc change dev $DEV parent 2:4 handle 24:0 gred limit $AF4LIMIT min
$AF4ThMin max $AF4ThMax avpkt $AVPKT burst $AF4BURST bandwidth $LINKCAP DP
1 probability $AF41PROB prio 2
$TC qdisc change dev $DEV parent 2:4 handle 24:0 gred limit $AF4LIMIT min
$AF4ThMin max $AF4ThMax avpkt $AVPKT burst $AF4BURST bandwidth $LINKCAP DP
2 probability $AF42PROB prio 3
$TC qdisc change dev $DEV parent 2:4 handle 24:0 gred limit $AF4LIMIT min
$AF4ThMin max $AF4ThMax avpkt $AVPKT burst $AF4BURST bandwidth $LINKCAP DP
3 probability $AF43PROB prio 4
# BE
$TC class add dev $DEV parent 2:0 classid 2:6 cbq bandwidth $LINKCAP rate
$BERATE avpkt $AVPKT allot $MTU2 mpu $MPU prio 3 split 2:0 defmap 0
$TC qdisc add dev $DEV parent 2:6 handle 26:0 red limit $BELIMIT min
$BEThMin max $BEThMax avpkt $AVPKT burst $BEBURST probability $BEPROB
bandwidth $LINKCAP
echo qdisc and class done!
# "classes" for (re)marking
# EF
$TC class change dev $DEV parent 1:0 classid 0x50 dsmark mask 0x03 value
0xb8
# AF1x
$TC class change dev $DEV parent 1:0 classid 0x11 dsmark mask 0x03 value
0x28
$TC class change dev $DEV parent 1:0 classid 0x12 dsmark mask 0x03 value
0x30
$TC class change dev $DEV parent 1:0 classid 0x13 dsmark mask 0x03 value
0x38
# AF2x
$TC class change dev $DEV parent 1:0 classid 0x21 dsmark mask 0x03 value
0x48
$TC class change dev $DEV parent 1:0 classid 0x22 dsmark mask 0x03 value
0x50
$TC class change dev $DEV parent 1:0 classid 0x23 dsmark mask 0x03 value
0x58
# AF3x
$TC class change dev $DEV parent 1:0 classid 0x31 dsmark mask 0x03 value
0x68
$TC class change dev $DEV parent 1:0 classid 0x32 dsmark mask 0x03 value
0x70
$TC class change dev $DEV parent 1:0 classid 0x33 dsmark mask 0x03 value
0x78
# AF4x
$TC class change dev $DEV parent 1:0 classid 0x41 dsmark mask 0x03 value
0x88
$TC class change dev $DEV parent 1:0 classid 0x42 dsmark mask 0x03 value
0x90
$TC class change dev $DEV parent 1:0 classid 0x43 dsmark mask 0x03 value
0x98
echo Finish marking
$TC filter add dev $DEV parent 1:0 protocol ip prio 1 u32 divisor 1
$TC filter add dev $DEV parent 1:0 prio 1 u32 match ip src 192.168.15.2
classid 0x50
# Filter the rest BW to classes
$TC filter add dev $DEV parent 2:0 protocol ip pref 1 tcindex mask 0xf0
shift 4 pass_on
# EF
$TC filter add dev $DEV parent 2:0 protocol ip pref 1 handle 0x5 tcindex
classid 2:5
# AF
$TC filter add dev $DEV parent 2:0 protocol ip pref 1 handle 0x1 tcindex
classid 2:1
$TC filter add dev $DEV parent 2:0 protocol ip pref 1 handle 0x2 tcindex
classid 2:2
$TC filter add dev $DEV parent 2:0 protocol ip pref 1 handle 0x3 tcindex
classid 2:3
$TC filter add dev $DEV parent 2:0 protocol ip pref 1 handle 0x4 tcindex
classid 2:4
# BE
$TC filter add dev $DEV parent 2:0 protocol ip pref 1 handle 0x0 tcindex
classid 2:6
echo Filter for atribution to classes
$TC qdisc show
;;
stop)
$TC qdisc del dev $DEV root
;;
*)
echo "Usage: `basename "$0"` {start|stop}"
;;
esac
Thanks in advance,
Patrick
