- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
TRAFFIC SHAPPING TO IPSEC TUNNEL
I have a site to site VPN, i want to apply a traffic shapping to specific traffic (sourc IP), but in the shaping policy it is not matching the traffic through the IPSEC tunnel.
There are some configuration that works different for interface like wan and not for IPSEC tunnel ?
Solved! Go to Solution.
Created on ‎05-16-2024 08:16 AM Edited on ‎05-16-2024 08:18 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shaping-policy should work with IPsec tunnel traffic. Shaping-profile might not.
Share us your shapers.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jr14 ,
If you want to shape traffic from a remote site internal IPs. You need to configure the shaping policy with the ipsec interface. Normally, this configuration should work.
If it is possible, can you share your shaping policy?
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did it, i am reference the ipsec tunnel, but it never match the traffic that i want to limit
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jr14 ,
If it is possible, can you share your shaping policy? Also, Can you share sample logs for the traffic you want to apply shaper to?
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
something like this
config firewall shaping-policy
edit 1
set uuid b90a13cc-138f-51ef-6025
set name "TEST"
set service "ALL"
set srcintf "LAN"
set dstintf "IPSEC"
set traffic-shaper "guarantee-100kbps"
set traffic-shaper-reverse "guarantee-100kbps"
set srcaddr "10.10.10.10"
set dstaddr "192.168.10.10"
next
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @jr14 ,
When I examine the shaping policy, I see that it gives guaranteed bandwidth. I understood that you wanted to restrict it. If you want to restrict it, you must change this first.
Is the direction of traffic configured correctly? In this case, I see that the traffic you want to restrict starts from your local network and goes to the other side. This policy will not work if traffic starts from the opposite side.
NSE 4-5-6-7 OT Sec - ENT FW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is just an example, i want to restrict the outgoing traffic through the IPSEC tunnel.
thanks for you support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you want to restrict outgoing traffic to a certain bandwidth, you need to create a shaper to set "maximum-bandwidth". Then use it in the shaping-policy. The unit is Kbps.
Toshi
Created on ‎05-16-2024 08:15 AM Edited on ‎05-16-2024 08:15 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, i know that.
I know how to configure the traffic shapping, shapping policy and more.
The problem is that i am doing for the IPSEC tunnel traffic not for the wan interface, and the traffic is not matching the shapper.
So i just asking if someone have done this before, apply shapping to the traffic passing through the IPSEC TUNNEL.
I just want to make sure that it is the same config.
Created on ‎05-16-2024 08:16 AM Edited on ‎05-16-2024 08:18 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shaping-policy should work with IPsec tunnel traffic. Shaping-profile might not.
Share us your shapers.
Toshi
![](/skins/images/03B6F9D09B0B73D4E0068FD5D5412A2D/responsive_peak/images/icon_anonymous_message.png)