Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1395
Views
0
Helpful
2
Replies

QOS with IPSEC

Go to solution
pcresswell
Level 1
Level 1

‎06-28-2006 12:17 AM - edited ‎02-21-2020 02:30 PM

Hi,

I have the following setup:

PC/IPPHONE---PIX------RTR/T1----INTERNET

|---IPSEC-----------------

I am trying to classify voice pakets within the IPSEC tunnel so that I can do LLQ on RTR. Is there a way to copy the DSCP tag from original packet to the IPSEC packet header?

Or is there a better way of doing it?

Thanks,

Peter

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mheusinger
Level 10
Level 10

‎06-28-2006 05:53 AM

Hi Peter,

the IPSec RFC mandates to copy the TOS-Byte (includes DSCP) from the original IP header to the newly created IPSec IP header. So the best approach would be to mark before the encryption and to match on DSCP in the encrypted packets.

If the router itself does the encryption (not quite clear from your drawing) you could use "qos pre-classify" on the tunnel or crypto map. The router then keeps a copy of the original IP packet header associated with the IPSec packet allowing you to classify based on the original header. This however can only work within the router doing encryption, because once the IP packet leaves the box the content can not be detected (this is the idea of IPSec isn?t it? ;-).

So either qos pre-classify or DSCP marking before encryption would allow you to use LLQ/CBWFQ for encrypted VoIP and other applications.

Hope this helps! Please rate all posts.

regards, Martin

View solution in original post

0 Helpful
2 Replies 2

Go to solution
mheusinger
Level 10
Level 10

‎06-28-2006 05:53 AM

Hi Peter,

the IPSec RFC mandates to copy the TOS-Byte (includes DSCP) from the original IP header to the newly created IPSec IP header. So the best approach would be to mark before the encryption and to match on DSCP in the encrypted packets.

If the router itself does the encryption (not quite clear from your drawing) you could use "qos pre-classify" on the tunnel or crypto map. The router then keeps a copy of the original IP packet header associated with the IPSec packet allowing you to classify based on the original header. This however can only work within the router doing encryption, because once the IP packet leaves the box the content can not be detected (this is the idea of IPSec isn?t it? ;-).

So either qos pre-classify or DSCP marking before encryption would allow you to use LLQ/CBWFQ for encrypted VoIP and other applications.

Hope this helps! Please rate all posts.

regards, Martin

0 Helpful

Go to solution
pcresswell
Level 1
Level 1
In response to mheusinger

‎06-28-2006 07:21 AM

I am already marking before encryption so that makes it easy. I wasn't sure if the encrypted packets inherited the DSCP bits.

Thank you very much for your help!!!

0 Helpful
Customers Also Viewed These Support Documents