Forums

Subscribe via email Subscribe via email
Subscribe via rss
Guest
or Ask a Question
Add a reply View Replies (2) →
John_Schaller
John_Schaller
Offline

Can QOS prioritize traffic inside IPSEC VPN?

Resolved
0 votes
We use our IPSEC VPN between ClearOS 6.5 machines to transfer calls between our six physical business locations. We often experience noisy and dropped connections. Can QOS prioritize VOIP traffic as the highest priority inside the VPN? If not, can QOS give the VPN tunnels the highest priority over other traffic on our 50/10 connections?

If we cannot solve this we will try adding IP's to each location and separate routers to just handle phone traffic.

We should have plenty of bandwidth with 50/10 service. Has anyone else looked into or resolved an issue like this?

Any thoughts appreciated.
In Bandwidth and QoS
Wednesday, August 20 2014, 05:22 PM
Subscribe via email
Share this post:
Responses (2)

  • Accepted Answer

    Tim Burgess
    Tim Burgess
    Offline
    Wednesday, August 20 2014, 09:54 PM - #Permalink
    Resolved
    0 votes
    You can't directly prioritise traffic in the tunnel as it's encapsulated as ESP traffic before it hits your outgoing IMQ (virtual QOS device).

    Once the tunnel is up nearly all traffic is ESP

    You can however specify a custom QOS entry with iptables to /etc/clearos/qos.conf to place all ESP traffic into the highest priority (0). For example:-

    QOS_PRIOMARK4_CUSTOM="\
    
    ESP_Up|*|1|0|0|-p esp
    
    ESP_Down|*|1|1|0|-p esp
    
"

    Then run 'firewall-start -d' and check debug output

    If you want to get clever you could match particular source/destination subnets to suit your network topology by amending the latter part of the string :)
    The reply is currently minimized Show

  • Accepted Answer

    Nick Howitt
    Nick Howitt
    Offline
    Wednesday, August 20 2014, 06:16 PM - #Permalink
    Resolved
    0 votes
    I doubt if you can do anything inside the tunnel, but you can try prioritising UDP:500 to prioritise IPsec, but it won't prioritise ESP (protocol 50) traffic. I don't know how much goes over ESP rather than UDP. If you need to prioritise ESP, in your IPsec conns you'll probably have to set "forceencaps=yes". This will encapsulate ESP in UDP:4500 packets which you can then prioritise, but remember to open your firewall to UDP:4500 as well
    The reply is currently minimized Show
Your Reply