Re: QoS after IPSec VPN encryption

wmmak · ‎11-02-2004

Dear All,

If a PIX connected to a router and then WAN.

If the packet is encrypted by PIX, then can I still apply QoS based on IP address on this encrypted packet on the router? If so, can I do it based on IP precedence, would it be encrypted?

Thanks

mak

aacole · ‎11-03-2004

You may be able to apply some QoS, if your using IPSec transport mode with ESP protocol then the original IP header is not authenticated. Therefore you should be able to modify the precedence field.

The ESP header is inserted after the IP header.

However the upper layers (TCP etc) are encrypted, so all you have available for QoS decision making is the source and destination IP address.

Andy

wmmak · ‎11-03-2004

Hi Andy,

So do you mean I cannot apply QoS based on IP precedence?

Thanks

mak

Patrick Iseli · ‎11-03-2004

NO, this will not work because on the outside router, after the PIX, you just see the encrypted packets and no protocol at all. If you want to use a QOS you should apply this rules before the packet is encrypted.

The good news is that FOS Version 7.0, which will be released in Januay 2005, will have QOS features.

Another possibility would be to establish the VPN tunnel from the outside Router and so you could use the QOS features of the router.

sincerely

Patrick

wmmak · ‎11-03-2004

Dear Patrick,

If the PIX use transport mode, can I still apply QoS on the router by IP address of packet only?

BTW, FOS = PIX OS?

Thanks

mak

Patrick Iseli · ‎11-03-2004

You are absolutly right!

I know that FOS and PIX OS is the same. 50% of the Forum users use FOS as PIX OS term.

I think I am free to choose which one I want to use, right !!