If we have an IPSec tunnel established between 2 FTDs (tunnel mode). The tunnel was created via an FMC.
If before been encrypted/encapsulated, packets were marked with DSCP values. Does the FTD copies the DSCP value to the outer header of the tunnel ? (so the DSCP value can be viewed by the routers in the middle).
We did a test, we marked traffic before the tunnel (with ef) , after the tunnel with the traffic with dscp value of 0
Can someone help us confirm if it can be copied to the outer header and what config is needed ?
I saw an article about ToS preservation , but the article is only for IPSec over GRE. (which i guess doesn't work on FTD)
1. I think or rather i believe that "copy of DSCP from Inner IP-Header to Outer IP-Header" is NOT supported (yet...) for IPSec Tunneled traffic on FTD-routers
- The Inner-IP-Header would be of "outbound" IPv4 and/or IPv6 plain packet that is being routed thru the ipsec tunnel under consideration
- The Outer-IP-Header would be of IPv4 and/or IPv6 "outbound" ESP packet that is generated by the FTD-router for that specified IPsec tunnel to remote peer
2. I dont really know how at this time, but since you are a cisco customer You should kindly submit a new-feature request for supporting the "Copy of DSCP values from Inner-IP-Header to Outer-ESP-packet-Header for IPsec tunnels.
- becos unlike policies for handling DF-bit flag for ipsec tunneled packets which is mentioned as a MUST in the RFC-4301 (section-8 i guess) and is supported/implemented as such on FTD routers too (details in next point below), the implementation/support for copy-dscp-value to outer-header is a custom-vendor-specific implementation and NOT all vendors implement/support it.
- This will be very very useful for setting QoS policies for ipsec tunnels too. Maybe this will also mean that there will be a related new-feature request to enhance QoS support for IPsec tunneled traffic too...lots of possibilities.
3. In FTD, if you check the ESPv3 settings for the site-to-site tunnel configured, you have the below options for DF-bit flag handling in ipsec tunnels....so you can run a check for DF-bit to confirm in your deployments
Enable dummy TFC packets that mask the traffic profile which traverses the tunnel. Use the Burst, Payload Size, and Timeout parameters to generate random length packets at random intervals across the specified SA.
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 18.104.22.168Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 22.214.171.124R1(config-ikev2-keyring-pee...