03-20-2022 08:41 AM
Hello, Im facing to a problem with QoS DSCP marking in simple IPsec topology. One VPN gateway is cisco router, second gateway is Huawei AR router. With some theory that i know i assume that DSCP marks are copied from IP header to new IP header created by esp. Anyway, I do whole marking on routers that creates the IPSec tunnel. Im using QoS preclassify command to match specific subnets. The problem is that I can see those marks, which are given by gateway routers on hosts computers. It looks like marking is done before an encryption and then is DSCP copied from the older header to the new one. But as I know, it shouldn't be working in this order.
Running configs bellow:
hostname RZ3
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key heslo address 10.0.0.2
crypto isakmp key heslo address 10.0.1.2
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
crypto ipsec transform-set myset1 esp-aes 256 esp-sha-hmac
mode transport
!
crypto map ipsec_map 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set myset
match address 100
qos pre-classify
!
class-map match-all match_VOIP
match access-group 110
class-map match-all test_esp
match access-group 121
class-map match-all match_SSH_response
match protocol ssh
class-map match-all test_gre
match access-group 122
class-map match-all match_DATA
match access-group 111
match not dscp af42
class-map match-all test_icmp
match access-group 123
class-map match-all match_SSH_response_DSCP
match dscp af42
!
policy-map rz3_toLocal_input
class match_SSH_response
set dscp af42
policy-map CBWFQ_LLQ
class match_DATA
bandwidth 300
set dscp af13
class match_VOIP
priority 300
set dscp ef
class class-default
fair-queue
policy-map test_output
class test_esp
class test_gre
class test_icmp
policy-map rz3_toNet_output
class match_VOIP
set dscp ef
class match_DATA
set dscp af13
class match_SSH_response_DSCP
policy-map shaping
class class-default
shape average 700000
service-policy rz3_toNet_output
!
interface FastEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nbar protocol-discovery
duplex auto
speed auto
service-policy input rz3_toLocal_input
!
interface Serial0/1/0
bandwidth 1500000
ip address 10.0.2.2 255.255.255.0
crypto map ipsec_map
service-policy output CBWFQ_LLQ
!
router ospf 1
log-adjacency-changes
network 10.0.2.0 0.0.0.255 area 0
network 192.168.2.0 0.0.0.255 area 0
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.2.1
ip route 192.168.0.0 255.255.255.0 1.1.1.1
!
access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit gre host 10.0.2.2 host 10.0.1.2
access-list 110 permit ip host 192.168.2.20 any
access-list 111 permit ip host 192.168.2.10 any
access-list 112 permit tcp any host 192.168.0.10 eq 22
access-list 120 permit ip host 192.168.2.10 any
access-list 121 permit esp any any
access-list 122 permit gre any any
access-list 123 permit icmp any any
!
line con 0
logging synchronous
line aux 0
line vty 0 4
login
!
<Huawei>display current-configuration
[V200R003C00SPC200]
#
acl number 3000
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.25
acl number 3010
rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.25
acl number 3021
rule 5 permit ip source 192.168.1.10 0
acl number 3022
rule 5 permit ip source 192.168.1.20 0
#
ipsec proposal tran1
esp authentication-algorithm sha1
esp encryption-algorithm aes-256
#
ike proposal 1
encryption-algorithm aes-cbc-256
dh group5
#
ike-proposal 1
remote-address 10.0.2.2
ike peer cisco2 v1
pre-shared-key simple heslo
ike-proposal 1
remote-address 10.0.1.2
#
ipsec policy map1 1 isakmp
security acl 3010
ike-peer cisco
proposal tran1
qos pre-classify
#
traffic classifier match_any operator or
if-match any
traffic classifier match_DATA operator or
if-match acl 3021
traffic classifier match_VOIP operator or
if-match acl 3022
#
traffic behavior beh_VOIP
remark dscp ef
traffic behavior DATA_CBWFQ
queue af bandwidth 300
statistic enable
remark dscp af13
traffic behavior VOIP_LLQ
queue llq bandwidth 300 cbs 7500
statistic enable
remark dscp ef
traffic behavior input_police
statistic enable
car cir 800 cbs 150400 pbs 250400 green pass yellow discard red discard
traffic behavior beh_DATA
remark dscp af13
statistic enable
#
traffic policy input_police
classifier match_any behavior input_police
traffic policy rz2_toNet_output
classifier match_DATA behavior DATA_CBWFQ
classifier match_VOIP behavior VOIP_LLQ
#
#
interface GigabitEthernet0/0/0
ip address 10.0.0.2 255.255.255.0
qos gts cir 800 cbs 20000
traffic-policy rz2_toNet_output outbound
ipsec policy map1
#
interface GigabitEthernet0/0/1
ip address 192.168.1.1 255.255.255.0
traffic-policy input_police inbound
#
ospf 1
area 0.0.0.0
network 10.0.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
Solved! Go to Solution.
04-04-2022 02:37 AM
I figured out that IOS version 12 isn't working properly in this case. Qos-preclassify is needed to classify encrypted packets. On the basis of this classification is marking done afterwards. This marking should be done only on egress IP header (tunnel mode). Shouldn't be visible in ingress IP header (on host computer) as it is in my case. I found solution to this. It is possible to solve this by establishing IPsec tunnel with VTI in use. There is another problem with VTI, the problem is that qos-preclassify command isn't working at all. But it is possible to use service policy (marking) on VTI or on physical interface, so qos preclassify command isn't needed at all. All this things are working just fine on version IOS 15.
This could help someone who is facing the same problem.
04-04-2022 02:37 AM
I figured out that IOS version 12 isn't working properly in this case. Qos-preclassify is needed to classify encrypted packets. On the basis of this classification is marking done afterwards. This marking should be done only on egress IP header (tunnel mode). Shouldn't be visible in ingress IP header (on host computer) as it is in my case. I found solution to this. It is possible to solve this by establishing IPsec tunnel with VTI in use. There is another problem with VTI, the problem is that qos-preclassify command isn't working at all. But it is possible to use service policy (marking) on VTI or on physical interface, so qos preclassify command isn't needed at all. All this things are working just fine on version IOS 15.
This could help someone who is facing the same problem.
04-04-2022 05:19 AM
Nice one luka.bik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide