In this scenario we will configure 3 Gibraltars that are connected via IPSEC-VPN. As we are using Citrix Terminalservices we also have to guarantee a minimum of 35 % for the ICA traffic.
We also have to guarantee a minimum of 35 % of the traffic for Voice over Ip. Because of latency the rest traffic only gets a maximum of 75 % of the total bandwidth. This is a must have if you do not have a provider that supports the QoS based on TOS bits (most providers don't). Furthermore only 95 % of the total bandwidth may be used to ensure a optimal functionality. The following initial situation is given:
• | Headquarter with 4096/2048 (down,up) internet bandwidth (192.168.0.0/24), IP telephone system: 192.168.0.100 |
• | Site 1 with 4096/1024 internet bandwidth (192.168.1.0/24), IP telephone system: 192.168.1.100 |
• | Site 2 with 1024/1024 internet bandwidth (192.168.2.0/24), IP telephone system: 192.168.2.100 |

System Requirements
A computer with two compatible network interface cards or a Gibraltar Security Gateway.
IPSEC-VPN
Configure the IPSEC connections as described in Scenario 4.
Network - Definitions
1. | Choose Network in the main menu. |
2. | Choose Definitions in the sub menu. |
3. | Choose the index card Host/Net Aliases. |
4. | Define one host/net alias for the site 1 and one for the site 2 (e.g.net1 - 192.168.1.0/24 and net2 - 192.168.2.0/24). |
5. | Define one host for the host/net alias "voip" for the telephone system 192.168.0.100. |
6. | Save: Confirm your changes with clicking the button Save. |
The following steps are necessary to be able to manage the total bandwidth:
• | Definition of the bandwidth of each interface |
• | Classifying the traffic to assign it to the shaping rules |
• | Creating the shaping rules for the regulation |
Traffic shaping
1. | Choose Traffic shaping in the main menu. |
2. | Choose the tab General Settings. |
3. | Bandwidths: Define the value "2048" for the interface "ext0" for the upload and "4096" for the download. |
4. | Define the value "2048" for the interface "int0" for the download and "4096" for the upload. |
5. | Save: Confirm your changes with clicking the button Save. |
Note: When using IPSEC we have to take care for some special constructions when implementing traffic shaping. If we would implement on the basis of the track "ext0", Gibraltar could only analyse ESP encrypted packets and therefore not regulate Ica or Voip. Gibraltar only can "see" the decrypted packets on the internal interface "int0". As Gibraltar always uses the upload bandwidth for outgoing tracks we have to swap the upload and download bandwidth for the internal interface "int0".
"outgoing int0" = download of the headquarter -> packets that go from the external interface to the internal interface.
"incoming int0" = upload of the headquarter -> packets that go from the internal interface to the external interface.
6. | Choose the tab Classification. |
7. | Add classification: Click this button for adding a new classification for the ICA source ports. |
8. | Name: Enter a name for the new classification (e.g. "icaSource"). |
9. | Source address, Destination address: Select the value ANY from the select boxes. |
10. | Service: Select the value "ica_source" from the select box. |
11. | TOS: Select the value "Minimize Delay". |
12. | Save: Confirm your changes with clicking the button Save. |
13. | Cancel: Click this button to get back to the overview. |
14. | Add classification: Click this button for adding a new classification for the ICA destination ports. |
15. | Name: Enter a name for the new classification (e.g. "icaDest"). |
16. | Source address, Destination address: Select the value ANY from the select boxes. |
17. | Service: Select the value "ica_destination" from the select box. |
18. | TOS: Select the value "Minimize Delay". |
19. | Save: Confirm your changes with clicking the button Save. |
20. | Cancel: Click this button to get back to the overview. |
21. | Add classification: Click this button for adding a new classification for the source packets of the telephone system. |
22. | Name: Enter a name for the new classification (e.g. "voipSource"). |
23. | Source address: Select the value "voip" from the select boxes. |
24. | Destination address: Select the value "voip" from the select boxes. |
25. | TOS: Select the value "Minimize Delay". |
26. | Save: Confirm your changes with clicking the button Save. |
27. | Cancel: Click this button to get back to the overview. |
28. | Add classification: Click this button for adding a new classification for the destination packets of the telephone system. |
29. | Name: Enter a name for the new classification (e.g. "voipDest"). |
30. | Source address: Select the value "ANY" from the select boxes. |
31. | Destination address: Select the value "voip" from the select boxes. |
32. | TOS: Select the value "Minimize Delay". |
33. | Save: Confirm your changes with clicking the button Save. |
34. | Cancel: Click this button to get back to the overview. |
35. | Add classification: Click this button for adding a new classification for ICMP. ICMP should be managed by default for error diagnosis. |
36. | Name: Enter a name for the new classification (e.g. "icmp"). |
37. | Source address, Destination address: Select the value ANY from the select boxes. |
38. | Service: Select the value "CUSTOM" from the select box. |
39. | Protocoll: Select the value "ICMP". |
40. | TOS: Select the value "Minimize Delay". |
41. | Save: Confirm your changes with clicking the button Save. |
42. | Cancel: Click this button to get back to the overview. |
43. | Add classification: Click this button for adding a new classification for the remaining traffic. |
44. | Name: Enter a name for the new classification (e.g. "rest"). |
45. | Source address, Destination address: Select the value ANY from the select boxes. |
46. | Save: Confirm your changes with clicking the button Save. |
ICMP and ICA traffic will be joined to a group "ica". We also join both voip classifications to a group as those groups has to get regulated as a whole.
1. | Choose the tab Classification Group. |
2. | Add group: Click this button to add a new classification group containing "icaSource", "icaDest" and "icmp". |
3. | Name: Enter a name for the group (e.g. "ica"). |
4. | Add member: Choose the members "icaSource", "icaDest", and "icmp". |
5. | Save: Confirm your changes with clicking the button Save. |
6. | Cancel: Click this button to get back to the overview. |
7. | Add group: Click this button to add a new classification group containing "voipSource" and "voipDest. |
8. | Name: Enter a name for the group (e.g. "ica"). |
9. | Add member: Choose "voipSource" and "voipDest". |
10. | Save: Confirm your changes with clicking the button Save. |
To finish the configuration you must set the rules for the two external offices. These rules are responsible for the regulation of the bandwidh. First we will regulate the upload of the headquarter - this is the track "incoming int0" from the point of view of the Gibraltar.
1. | Choose the tab Traffic shaping rules. |
2. | Track: Choose "incoming int0". Gibraltar now takes the predefined download bandwith of the track "int0". This traffic represents the upload of the headquarter. |
3. | Add rule: Click this button to add a new rule. |
4. | Name: Enter a name for the new rule (e.g. "ruleNet1"). |
5. | Add member: Click this button to add classifications or classification groups. |
6. | Choose the classification group "ica" and set the values "360" for Min and "1024" for Max. |
7. | Choose the classification group "voip" and set the values "360" for Min and "1024" for Max. |
8. | Choose the classification "rest" and set the values "250" for Min and "768" for Max. |
9. | Save: Confirm your changes with clicking the button Save. |
10. | Choose the tab Advanced. |
11. | Destination address: Choose the definition "net1", because this rule should only be valid for this destination net. |
12. | Bandwidth (kbit) for nets: Choose the value "1024" as we only want to provide a maximum of 1024kbit for this net. All traffic that goes the way: headquarter->site1 is not allowed to exceed the maximum of 1024kbit. |
13. | Save: Confirm your changes with clicking the button Save. |
14. | Cancel: Click this button to return to the overview. |
15. | Add rule: Click this button to add a new rule. |
16. | Name: Enter a name for the new rule (e.g. "ruleNet2"). |
17. | Add member: Click this button to add classifications or classification groups. |
18. | Choose the classification group "ica" and set the values "360" for Min and "1024" for Max. |
19. | Choose the classification group "voip" and set the values "360" for Min and "1024" for Max. |
20. | Choose the classification "other" and set the values "250" for Min and "768" for Max. |
21. | Save: Confirm your changes with clicking the button Save. |
22. | Choose the tab Advanced. |
23. | Destination address: Choose the definition "net2", because this rule should only be valid for this destination net. |
24. | Bandwidth (kbit) for nets: Choose the value "1024" as we only want to provide a maximum of 1024kbit for this net. All traffic that goes the way: headquarter->site1 is not allowed to exceed the maximum of 1024kbit. |
25. | Save: Confirm your changes with clicking the button Save. |
Note:
To regulate all traffic in the headquarter it is also essential to limit the download traffic. If we do not regulate this traffic it could be possible that a download into the headquarter blocks the upload packets of the sites.
1. | Choose the tab Traffic shaping rules. |
2. | Track: Choose track "outgoing int0". Gibraltar now takes the predefined upload bandwith of the track "int0". This traffic represents the download of the headquarter. |
3. | Add rule: Click this button to add a new rule. |
4. | Name: Enter a name for the new rule (e.g. "ruleDownload"). |
5. | Add member: Click this button to add classifications or classification groups. |
6. | Choose the classification group "ica" and set the values "716" for Min and "2048" for Max. |
7. | Choose the classification group "voip" and set the values "716" for Min and "2048" for Max. |
8. | Choose the classification "rest" and set the values "500" for Min and "1536" for Max. |
9. | Save: Confirm your changes with clicking the button Save. |
As we do not want to regulate a net with download shaping it is not necessary to define a target net on the "advanced" tab.
Special construction: Gibraltar also as mail relay or HTTP proxy
If your are using Gibraltar also as a mail relay or HTTP proxy in this scenario you have the following situation: With the rules "outgoing int" and "incoming int" we are able to regulate the upload and download trafic from and to the internal net. Gibraltar as a proxy or mail relay of course also "produces" upload and download traffic that is not regulated up to now in this case. Do the following if this scenario occurs:
1. | Choose the tab Classification. |
2. | Add classification: Clickt this button to add a new classification for IPSEC as it is the aim to provide a maximum of 100% for the IPSEC traffic as Ica and Voip-packets are encapsulated in IPSEC. |
3. | Name: Enter a name for the classification (e.g. "ipsec") |
4. | Source address, Destination address: Select the value ANY from the select boxes. |
5. | Service: Choose the value "ipsec" from the select box. |
6. | Save: Confirm your changes with clicking the button Save. |
7. | Cancel: Click this button to return to the overview. |
8. | : Click this button to place the classification "ipsec" before the classification rest! |
9. | Save: Confirm your changes with clicking the button Save |
10. | Choose the tab Traffic shaping rules. |
11. | Track: Choose the track "incoming ext0". Gibraltar now takes the predefined download bandwith of the track "ext0". This traffic represents the download of the headquarter. |
12. | Add rule: Click this button to add a new rule. |
13. | Name: Enter a name for the new rule (e.g. "limitGibDownload"). |
14. | Add member: Click this button to add classifications and classification groups. |
15. | Choose the classification group "ipsec" and set the values "2864" for Min and "4096" for Max. |
16. | Choose the classification "rest" and set the values "1000" for Min and "3072" for Max. |
17. | Save: Confirm your changes with clicking the button Save. |
18. | Choose the tab Traffic shaping rules. |
19. | Track: Choose the track "outgoing ext0". Gibraltar now takes the predefined upload bandwith of the track "ext0". This traffic represents the upload of the headquarter. |
20. | Add rule: Click this button to add a new rule. |
21. | Name: Enter a name for the new rule (e.g. "limitGibUpload"). |
22. | Add member: Click this button to add classifications and classification groups. |
23. | Choose the classification group "ipsec" and set the values "720" for Min and "1024" for Max. |
24. | Choose the classification "rest" and set the values "250" for Min and "768" for Max. |
25. | Save: Confirm your changes with clicking the button Save. |
Now we arrured that
Save config
1. | The configuration has to be saved on an USB-stick or harddisc. |
The traffic is regulated on the basis of the different bandwidths in both sits now. A printjob, that usually passes an ICA-flow, would not cause a problem any more. To control the outgoing traffic of the sites, the following configurations are necessary:
Traffic shaping (site 1)
1. | Choose Traffic shaping in the main menu. |
2. | Choose the tab General Settings. |
3. | Bandwidths: Define the values "1024" and "4096" for the up and the download bandwidth of this site. |
4. | Define the value "1024" for the interface "int0" for the download and "4096" for the upload. |
5. | Save: Confirm your changes with clicking the button Save. |
6. | Now define the same classifications as in the headquarter! |
7. | Choose the tab Traffic shaping rules. |
8. | Track: Choose "outgoing ext0". Gibraltar now takes the predefined upload bandwith of the track "ext0". This traffic represents the upload of the site1. |
9. | Add rule: Click this button to add a new rule. |
10. | Name: Enter a name for the new rule (e.g. "ruleHeadquarter"). |
11. | Add member: Click this button to add classifications or classification groups. |
12. | Choose the classification group "ica" and set the values "360" for Min and "1024" for Max. |
13. | Choose the classification group "voip" and set the values "360" for Min and "1024" for Max. |
14. | Choose the classification "rest" and set the values "250" for Min and "768" for Max. |
15. | Save: Confirm your changes with clicking the button Save. |
16. | Cancel: Click this button to return to the overview. |
It is also necessary to limit the download traffic in the sites. Do the following to achieve this goal:
1. | Choose the tab Traffic shaping rules. |
2. | Track: Choose "outgoing int0". Gibraltar now takes the predefined upload bandwith of the track "int0". This traffic represents the download of the site1. |
3. | Add rule: Click this button to add a new rule. |
4. | Name: Enter a name for the new rule (e.g. "ruleDownload"). |
5. | Add member: Click this button to add classifications or classification groups. |
6. | Choose the classification group "ica" and set the values "360" for Min and "1024" for Max. |
7. | Choose the classification group "voip" and set the values "360" for Min and "1024" for Max. |
8. | Choose the classification "rest" and set the values "2000" for Min and "3072" for Max. |
9. | Save: Confirm your changes with clicking the button Save. |
10. | Cancel: Click this button to return to the overview. |
Note:
We do not have to give the Voip or Ica-traffic a maximum of 4096 in this szenario as the maximum that comes from the headquarter is 1024kbit. The most important thing is the limitation to 75% of the rest traffic to provide a buffer for Voice over IP and ICA.
Complete the configuration for site 2 with the bandwidth value of 1024 for upload and download. Therewith you control the traffic at both sites and avoid to affect your ICA-sessions through to big printjobs or video streams. A graphical reporting of the regulation of bandwidths you can find in the module Monitoring.
Save config
1. | Save your configuration on an USB-stick or harddics. |
|