IPsec - encapsulated and actual traffic visible at same time

_saik0 · Sun Apr 07, 2013 3:27 am

Hi,

I'm trying to mark the actual traffic encrypted with IPsec (tunneled) so i can perform QoS.
I'm using queue-tree, forwarding chain and global-out.
Interface ether10-gateway is for WAN and includes NATting.
Interface l2tp-site1site2_cli is L2TP towards site2.
Traffic between local subnets on site1 and site2 is IPsec encrypted (tunnel mode) and then tunneled across L2TP.

Problem is that apparently interface l2tp-site1site2_cli sees both unencrypted (actual between site local subnets) and encrypted traffic (between ipsec peers).
When I mark e.g. upload traffic on that interface, PCQ sees two connections and behaves wrongly (halves speed to share among those "two" types of traffic).
I tried adding an accept rule in forward chain to ignore ipsec traffic on that interface. I also tried to specify src/dst addresses in the related mangle rules but that didn't help.
When I disable IPsec policy the PCQ immediately works properly.

RB2011UAS-2HnD @ 5.24

Please advise.

Thanks!

172.16.0.0 are the L2TP peers
10.0.0.0 are the site local subnets
As you can see both the original ssh session and ipsec encaps is seen on the l2tp-site1site2_cli interface.

Config:

/ip firewall mangle
(...)
add action=mark-connection chain=forward comment="ALL TRAFFIC (shaping)" \
    new-connection-mark=all-conn
add action=mark-packet chain=forward connection-mark=all-conn in-interface=\
    ether10-gateway new-packet-mark=all-ds passthrough=no
add action=mark-packet chain=forward connection-mark=all-conn new-packet-mark=\
    all-us out-interface=ether10-gateway passthrough=no
add action=mark-packet chain=forward connection-mark=all-conn in-interface=\
    l2tp-site1site2_cli new-packet-mark=all-ds passthrough=no
add action=mark-packet chain=forward connection-mark=all-conn new-packet-mark=\
    all-us out-interface=l2tp-site1site2_cli passthrough=no

/queue tree
(...)
add max-limit=1100k name=Upload parent=global-out priority=1
add name=ALL-us packet-mark=all-us parent=Upload queue=DSL_upload

/queue type
add kind=pcq name=DSL_download pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-limit=100 pcq-src-address6-mask=64
add kind=pcq name=DSL_upload pcq-classifier=src-address pcq-dst-address6-mask=64 \
    pcq-limit=100 pcq-src-address6-mask=64

_saik0 · Sun Apr 07, 2013 7:48 pm

Maybe the best way to describe my problem is this:

As you can see in mangle rules 'all-us' is upload traffic marked in forward chain. It should also catch traffic from l2tp interface.
The red/blue marked line in mangle is the only place the 'all-us' marking from l2tp interface occurs.
Observe the traffic counters/rate.

The mangle all-us from l2tp sees only ~500kbps while queue global-out with same make sees 2x that rate?!

With IPsec policy disabled the counters suddenly match.

_saik0 · Sun Apr 07, 2013 8:53 pm

Ok so I may have found the reason and a workaround...

The forwarding chain isn't supposed to see the IPsec traffic as encryption happens after postrouting chain.
Since I marked traffic in forwarding chain before it was encrypted, that mark must have been copied to the ipsec packet itself and the global-out was seeing somehow both the ipsec and original traffic.
I decided to rewrite/remove that mark in the postrouting chain as a workaround.

Immediately after applying the workaround the traffic counters/rate was matching on the mangle rule and queue tree rule from previous sshot.

Sombody correct me if did this wrong!

IPsec - encapsulated and actual traffic visible at same time

IPsec - encapsulated and actual traffic visible at same time

Re: IPsec - encapsulated and actual traffic visible at same

Re: IPsec - encapsulated and actual traffic visible at same

Who is online