Solved: QoS marking in IPsec topology

luka.bik · ‎03-20-2022

Hello, Im facing to a problem with QoS DSCP marking in simple IPsec topology. One VPN gateway is cisco router, second gateway is Huawei AR router. With some theory that i know i assume that DSCP marks are copied from IP header to new IP header created by esp. Anyway, I do whole marking on routers that creates the IPSec tunnel. Im using QoS preclassify command to match specific subnets. The problem is that I can see those marks, which are given by gateway routers on hosts computers. It looks like marking is done before an encryption and then is DSCP copied from the older header to the new one. But as I know, it shouldn't be working in this order.

Running configs bellow:

hostname RZ3

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 5

crypto isakmp key heslo address 10.0.0.2

crypto isakmp key heslo address 10.0.1.2

!

crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac

crypto ipsec transform-set myset1 esp-aes 256 esp-sha-hmac

mode transport

!

crypto map ipsec_map 10 ipsec-isakmp

set peer 10.0.0.2

set transform-set myset

match address 100

qos pre-classify

!

class-map match-all match_VOIP

match access-group 110

class-map match-all test_esp

match access-group 121

class-map match-all match_SSH_response

match protocol ssh

class-map match-all test_gre

match access-group 122

class-map match-all match_DATA

match access-group 111

match not dscp af42

class-map match-all test_icmp

match access-group 123

class-map match-all match_SSH_response_DSCP

match dscp af42

!

policy-map rz3_toLocal_input

class match_SSH_response

set dscp af42

policy-map CBWFQ_LLQ

class match_DATA

bandwidth 300

set dscp af13

class match_VOIP

priority 300

set dscp ef

class class-default

fair-queue

policy-map test_output

class test_esp

class test_gre

class test_icmp

policy-map rz3_toNet_output

class match_VOIP

set dscp ef

class match_DATA

set dscp af13

class match_SSH_response_DSCP

policy-map shaping

class class-default

shape average 700000

service-policy rz3_toNet_output

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

ip nbar protocol-discovery

duplex auto

speed auto

service-policy input rz3_toLocal_input

!

interface Serial0/1/0

bandwidth 1500000

ip address 10.0.2.2 255.255.255.0

crypto map ipsec_map

service-policy output CBWFQ_LLQ

!

router ospf 1

log-adjacency-changes

network 10.0.2.0 0.0.0.255 area 0

network 192.168.2.0 0.0.0.255 area 0

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.0.2.1

ip route 192.168.0.0 255.255.255.0 1.1.1.1

!

access-list 100 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit gre host 10.0.2.2 host 10.0.1.2

access-list 110 permit ip host 192.168.2.20 any

access-list 111 permit ip host 192.168.2.10 any

access-list 112 permit tcp any host 192.168.0.10 eq 22

access-list 120 permit ip host 192.168.2.10 any

access-list 121 permit esp any any

access-list 122 permit gre any any

access-list 123 permit icmp any any

!

line con 0

logging synchronous

line aux 0

line vty 0 4

login

!

<Huawei>display current-configuration

[V200R003C00SPC200]

#

acl number 3000

rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.0 0.0.0.25

acl number 3010

rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.25

acl number 3021

rule 5 permit ip source 192.168.1.10 0

acl number 3022

rule 5 permit ip source 192.168.1.20 0

#

ipsec proposal tran1

esp authentication-algorithm sha1

esp encryption-algorithm aes-256

#

ike proposal 1

encryption-algorithm aes-cbc-256

dh group5

#

ike-proposal 1

remote-address 10.0.2.2

ike peer cisco2 v1

pre-shared-key simple heslo

ike-proposal 1

remote-address 10.0.1.2

#

ipsec policy map1 1 isakmp

security acl 3010

ike-peer cisco

proposal tran1

qos pre-classify

#

traffic classifier match_any operator or

if-match any

traffic classifier match_DATA operator or

if-match acl 3021

traffic classifier match_VOIP operator or

if-match acl 3022

#

traffic behavior beh_VOIP

remark dscp ef

traffic behavior DATA_CBWFQ

queue af bandwidth 300

statistic enable

remark dscp af13

traffic behavior VOIP_LLQ

queue llq bandwidth 300 cbs 7500

statistic enable

remark dscp ef

traffic behavior input_police

statistic enable

car cir 800 cbs 150400 pbs 250400 green pass yellow discard red discard

traffic behavior beh_DATA

remark dscp af13

statistic enable

#

traffic policy input_police

classifier match_any behavior input_police

traffic policy rz2_toNet_output

classifier match_DATA behavior DATA_CBWFQ

classifier match_VOIP behavior VOIP_LLQ

#

interface GigabitEthernet0/0/0

ip address 10.0.0.2 255.255.255.0

qos gts cir 800 cbs 20000

traffic-policy rz2_toNet_output outbound

ipsec policy map1

#

interface GigabitEthernet0/0/1

ip address 192.168.1.1 255.255.255.0

traffic-policy input_police inbound

#

ospf 1

area 0.0.0.0

network 10.0.0.0 0.0.0.255

network 192.168.1.0 0.0.0.255

#

luka.bik · ‎04-04-2022

I figured out that IOS version 12 isn't working properly in this case. Qos-preclassify is needed to classify encrypted packets. On the basis of this classification is marking done afterwards. This marking should be done only on egress IP header (tunnel mode). Shouldn't be visible in ingress IP header (on host computer) as it is in my case. I found solution to this. It is possible to solve this by establishing IPsec tunnel with VTI in use. There is another problem with VTI, the problem is that qos-preclassify command isn't working at all. But it is possible to use service policy (marking) on VTI or on physical interface, so qos preclassify command isn't needed at all. All this things are working just fine on version IOS 15.

This could help someone who is facing the same problem.

View solution in original post

luka.bik · ‎04-04-2022

I figured out that IOS version 12 isn't working properly in this case. Qos-preclassify is needed to classify encrypted packets. On the basis of this classification is marking done afterwards. This marking should be done only on egress IP header (tunnel mode). Shouldn't be visible in ingress IP header (on host computer) as it is in my case. I found solution to this. It is possible to solve this by establishing IPsec tunnel with VTI in use. There is another problem with VTI, the problem is that qos-preclassify command isn't working at all. But it is possible to use service policy (marking) on VTI or on physical interface, so qos preclassify command isn't needed at all. All this things are working just fine on version IOS 15.

This could help someone who is facing the same problem.

Sheraz.Salim · ‎04-04-2022

Nice one luka.bik

please do not forget to rate.