I have a two folded issue here.

Issue #1:

My internet service provider at work has an mpls network with different service planes. (ex. a service plane for voice, one for data, one for priority data) They provide different SLA's and delivery times for each service plane. In order for me to use these service planes I typically call them and specify what type of data I want in the given service plane. They then use diffserv and tag packets leaving my site based on the port number.

What I want to do is tag my esp/ipsec traffic for their high priority plane. Normally they would take care of this but in talking with their engineers today they apparently cannot do this with ipsec traffic. Which means I must tag the ipsec packets as they leave my network. Does anyone have any experience doing this in pf. I assume I need to do this with altq to actually mark the packet. I've tried doing something like:


pass out on $ext_if proto esp from any to any tos 0x20


with no avail.

Issue #2:

Within that given ipsec tunnel above I'd like to specify priority to traffic using the cbq scheduler within altq. However I'm finding a true lack of documentation on how to do this anywhere. I've found a few posts here or there. Most go unanswered a few others show no real resolution. Is anyone doing this? Is it as simple as altq'ing out on the internal interface? altq'ing on the enc0 interface isn't supported which was the obvious first place to try.

Ex. if I have an ipsec tunnel that have voice and data travelling over it I want to give priority to voice.

Any help is appreciated.

I typically call them and specify what type of data I want in the given service plane. They then use diffserv and tag packets leaving my site based on the port number.

What I want to do is tag my esp/ipsec traffic for their high priority plane. Normally they would take care of this but in talking with their engineers today they apparently cannot do this with ipsec trafficThat makes sense because ipsec is not TCP so doesn't have a "port" as such. It's protocol 50 (plus ISAKMP which uses UDP port 500).

Which means I must tag the ipsec packets as they leave my network. Can they provide you any details, such as an RFC for how they expect this done? Eg: maybe they expect GRE packets labelled as per the draft RFC.

Ex. if I have an ipsec tunnel that have voice and data travelling over it I want to give priority to voice. Just a thought: can you run two parallel ipsec tunnels--one for data, one for voice--and differentiate them somehow for labelling? (Eg: one originates from a different IP address?)

[Disclaimer: I know next to zip about MPLS; but I'm an interested bystander.]

That makes sense because ipsec is not TCP so doesn't have a "port" as such. It's protocol 50 (plus ISAKMP which uses UDP port 500).


Right but is still seems to me that should be able to tag based on protocol. That seems fairly straight forward.

tcpdump -i em0

20:23:23.330422 esp host-xxx-xxx-xxx-131.masergy.com > host-xxx-xxx-xxx-82.masergy.com spi 0xDB37571E seq 20190 len 76 (DF)



Can they provide you any details, such as an RFC for how they expect this done? Eg: maybe they expect GRE packets labelled as per the draft RFC.


What I've gotten from them so far is that they accept tagged packets in dif format, like
"0x20" added to the header.


Just a thought: can you run two parallel ipsec tunnels--one for data, one for voice--and differentiate them somehow for labelling? (Eg: one originates from a different IP address?)


That's actually a pretty good idea. I may have to do something similar to that.

well I've gotten some place this evening though not exactly where I had hoped.

Consider:


#Testing altq stuff here
altq on $ext_if cbq bandwidth 3Mb queue { std_ext, www_ext, ipsec_ext, other_ext }
queue std_ext priority 1 cbq(default)
queue ipsec_ext priority 4 cbq(red borrow)
queue www_ext priority 3 cbq(borrow)
queue other_ext priority 2 cbq(borrow)

With the following rules:

pass out on $ext_if inet proto tcp all flags S/SA keep state queue other_ext
pass out on $ext_if inet proto udp all keep state queue other_ext
pass out on $ext_if inet proto icmp all keep state queue other_ext
pass out on $ext_if inet proto udp from any to any port = 500 queue ipsec_ext
pass out on $ext_if inet proto esp from any to any queue ipsec_ext


Sure enough I can QoS the ipsec tunnel. The next logical thing was to setup cbq on the int_if outgoing:


#Testing altq stuff here
altq on $int_if cbq bandwidth 3Mb queue { std_esp, other_esp }
queue std_esp bandwidth 1% priority 0 cbq(default)
queue other_esp bandwidth 99% priority 7 cbq(borrow)


With the following 2 rules:

#Experimental esp rules
pass out quick on $int_if inet proto icmp from any to any keep state queue other_esp
pass out quick on $int_if inet proto { tcp udp } from $internal_net to any keep state queue std_esp



At first I thought I was having some effect manipulating flow within the ipsec tunnel. Ping were coming back quick, a "pfctl -vvv -s queue" showed traffic hitting the queues, however as I successfully added more and more traffic my lag times increased.

It's pretty late, it was late when I did this, which begs the question, does anyone see anything wrong (a flaw in my logic) with what I've done here to test?

Just got back from a road trip. I'll be working on this fairly heavily over the next week so stay tuned to this thread for updates.