If we have an IPSec tunnel established between 2 FTDs (tunnel mode). The tunnel was created via an FMC.
If before been encrypted/encapsulated, packets were marked with DSCP values. Does the FTD copies the DSCP value to the outer header of the tunnel ? (so the DSCP value can be viewed by the routers in the middle).
We did a test, we marked traffic before the tunnel (with ef) , after the tunnel with the traffic with dscp value of 0
Can someone help us confirm if it can be copied to the outer header and what config is needed ?
I saw an article about ToS preservation , but the article is only for IPSec over GRE. (which i guess doesn't work on FTD)
1. I think or rather i believe that "copy of DSCP from Inner IP-Header to Outer IP-Header" is NOT supported (yet...) for IPSec Tunneled traffic on FTD-routers
- The Inner-IP-Header would be of "outbound" IPv4 and/or IPv6 plain packet that is being routed thru the ipsec tunnel under consideration
- The Outer-IP-Header would be of IPv4 and/or IPv6 "outbound" ESP packet that is generated by the FTD-router for that specified IPsec tunnel to remote peer
2. I dont really know how at this time, but since you are a cisco customer You should kindly submit a new-feature request for supporting the "Copy of DSCP values from Inner-IP-Header to Outer-ESP-packet-Header for IPsec tunnels.
- becos unlike policies for handling DF-bit flag for ipsec tunneled packets which is mentioned as a MUST in the RFC-4301 (section-8 i guess) and is supported/implemented as such on FTD routers too (details in next point below), the implementation/support for copy-dscp-value to outer-header is a custom-vendor-specific implementation and NOT all vendors implement/support it.
- This will be very very useful for setting QoS policies for ipsec tunnels too. Maybe this will also mean that there will be a related new-feature request to enhance QoS support for IPsec tunneled traffic too...lots of possibilities.
3. In FTD, if you check the ESPv3 settings for the site-to-site tunnel configured, you have the below options for DF-bit flag handling in ipsec tunnels....so you can run a check for DF-bit to confirm in your deployments
Enable dummy TFC packets that mask the traffic profile which traverses the tunnel. Use the Burst, Payload Size, and Timeout parameters to generate random length packets at random intervals across the specified SA.
ISE 3.0 with patch level 3, licenses are showing as "Released for Entitlement" for all term based licenses. This is because of a bug CSCvz33870.I have tried all possibilities, including renewing registration, de registering, resetting, and updating from I...
This month, we're excited to bring awareness to a newly formed partnership between Cisco Secure and IBM.
Securing today's dynamic enterprise applications is critical. With hybrid and multi-cloud adoption, traditional network-based security ran into limita...
Listen: https://smarturl.it/CCRS8E42Follow us: twitter.com/CiscoChampion
APIClarity is an open source, cloud-native visibility tool for APIs. It utilizes a Service Mesh framework to capture and analyze API traffic and identify potential risks.
Hello everyone, A new video in the Cisco Secure Terraform Series has just been published. If you are interested in Infrastructure as Code, and Terraform, you don't want to miss out on this amazing series with Jason "Canadian Bacon" Maynard! Newe...
Whitepaper - Configuring IPsec IKEv2 Remote Access VPN with Cisco Secure Firewall
Abstract / Introduction
There has been recent guidance from the United States National Security Agency (NSA...