Shaper ipsec: is it enough to specify rules for traffic inside tunnel?

mxx · Jul 8, 2010, 4:43 PM

Hi,

I have a WAN connection with 4 ipsec tunnels (site to site). The local LAN is also utilizing this connection for a tiny bit.
The remote locations have access to a file and sql server in the local lan.

Is it enough to shape traffic into higher priority queues originating from those tunnels, i.e. specify shaping fw rules for interface ipsec, or would I also have to shape ESP traffic as a whole?

Also would I have to shape traffic coming in from lan destined for a host reachable by an ipsec tunnel? I ask because the LAN interface's shaper is limiting the bandwidth for LAN to the sum of all available WAN connections, so in my understanding it would make some sense to do that, or am I wrong?

Thanks very much!

Max

jlepthien · Sep 29, 2010, 8:41 PM

IMHO when shaping IPSec only the complete tunnel (ESP) is done. You cannot say that you want Citrix/RDP in a tunnel to be high prio and then http/s be lower prio in that tunnel…

eri-- · Sep 30, 2010, 12:02 PM

You can shape inside tunnels.

jlepthien · Sep 30, 2010, 12:04 PM

And how? Thanks for the info…