- QoS on encrypted connection over DSL
- Posted by stefan.gasteiger@gendorf.de on February 20th, 2007
Hi!
I configured a 1841 with a dialer interface (ADSL with PPPoE) to the
internet.
Then I set up an second router at another site with the same config.
After that configured an ipsec tunnel between the two sites by using a
crypto map.
Everything works great so far, but then I try to setup QoS by defining
a policy map and attaching it to the outgoing interface. But that does
not work, because the access lists don't seem to match outgoing either
in the dialer nor in the etherenet interface (they only match, when i
use the ACLS as an ip access group directly on the incoming ethernet
interface).
I urgently need QoS on the tunnel and am desperately looking for a
solution!
I attached the config of one router. Thanks for your help!
----------------- snip -------------------
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname vpn-w01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret 5 XXXXX
!
no aaa new-model
clock timezone Berlin 1
clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
ip cef
!
!
ip inspect tcp idle-time 28800
ip inspect name INSPECTION cuseeme
ip inspect name INSPECTION ftp
ip inspect name INSPECTION h323
ip inspect name INSPECTION icmp
ip inspect name INSPECTION netshow
ip inspect name INSPECTION rcmd
ip inspect name INSPECTION realaudio
ip inspect name INSPECTION rtsp
ip inspect name INSPECTION esmtp
ip inspect name INSPECTION sqlnet
ip inspect name INSPECTION streamworks
ip inspect name INSPECTION tftp
ip inspect name INSPECTION tcp
ip inspect name INSPECTION udp
ip inspect name INSPECTION vdolive
ip inspect name INSPECTION ssh
ip tcp synwait-time 10
ip tcp path-mtu-discovery
!
!
ip ips notify SDEE
no ip bootp server
ip domain name autohaus-holzer.de
ip name-server 194.25.2.129
ip ssh source-interface Vlan1
!
!
!
username admin privilege 15 password 7 01121409521F070824
!
!
class-map match-all terminalserver
match access-group 100
class-map match-all vaudis
match access-group 101
class-map match-all ipsec
match protocol ipsec
!
!
policy-map vw-policy
class terminalserver
bandwidth percent 30
class vaudis
bandwidth percent 30
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 1234567890 address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60 20
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map ENCRYPT 1 ipsec-isakmp
set peer 87.139.35.100
set transform-set ESP-3DES-SHA
match address TOVPN
qos pre-classify
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description OUTSIDE
bandwidth 128
no ip address
no ip unreachables
no ip proxy-arp
ip mtu 1472
ip tcp adjust-mss 1416
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
service-policy output vw-policy
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Vlan1
description INSIDE
ip address 10.59.166.129 255.255.255.128
no ip proxy-arp
ip nat inside
no ip virtual-reassembly
!
interface Dialer0
description OUTSIDE
bandwidth 128
ip address negotiated
no ip unreachables
no ip proxy-arp
ip mtu 1472
ip inspect INSPECTION out
ip nat outside
ip virtual-reassembly max-reassemblies 1024
encapsulation ppp
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1416
dialer pool 1
dialer string 01133
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname 000385648292520071291161#0001@t-online.de
ppp chap password XXXXX
crypto map ENCRYPT
service-policy output vw-policy
!
interface Dialer1
no ip address
no cdp enable
service-policy output vw-policy
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.0.0 255.0.0.0 Dialer0
ip route 10.59.172.128 255.255.255.128 Dialer0
ip route 87.139.35.100 255.255.255.255 Dialer0
[... some routes omitted ...]
!
ip nat inside source route-map TONAT interface Dialer0 overload
!
ip access-list extended INSIDE_IN
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip 10.59.166.128 0.0.0.127 any
ip access-list extended OUTSIDE_IN
permit ip any 10.59.166.128 0.0.0.127
[... some more ACLs omitted ...]
ip access-list extended TONAT
deny ip 10.59.166.128 0.0.0.127 any
ip access-list extended TOVPN
permit ip 10.59.166.128 0.0.0.127 any
!
access-list 100 permit tcp 10.59.166.128 0.0.0.127 any eq 3389
access-list 101 permit tcp any any eq telnet
dialer-list 1 protocol ip permit
no cdp run
route-map TONAT permit 1
match ip address TONAT
!
- Posted by headsetadapter.com on February 20th, 2007
Attach policy to INBOUND interface (VLAN 1 in your case). That's where your
traffic is not NATed and not encrypted, and you can specify TCP port. After
you encrypt traffic, you cannot distinguish between various types of
traffic.
Good luck,
Mike
------
Cisco IP Phone PC Headset Adapters
www.ciscoheadsetadapter.com
<stefan.gasteiger@gendorf.de> wrote in message
news:1171968447.219310.56790@k78g2000cwa.googlegro ups.com...
- Posted by Bod43@hotmail.co.uk on February 20th, 2007
On 20 Feb, 12:00, "headsetadapter.com" <for-s...@mail.com> wrote:
My understanding is that the qos pre-classify does take care of this.
The packets are classified before crypto, tracked through the various
processes and then are still "classified" even after encryption
so the router can in principle do fancy queuing.
In practise with DSL it seems rather dificult.
With ethernet internet side, no problem.
- Posted by Gabriele Beltrame on February 20th, 2007
<Bod43@hotmail.co.uk> ha scritto nel messaggio
news:1171979374.297530.205910@p10g2000cwp.googlegr oups.com...
Hi,
qos pre-classify let you classify traffic at the outbound interface by
creating a temporary copy of L3 and L4 header of the original unencrypted
packet.
IPSec in tunnel mode copy IP ToS field from the inner to the outer IP
header.
As I see it you can either classify at the ingress interface or at the
egress interface using qos pre-classify in your crypto map; if using GRE
"qos pre-classify" has to be applied to the tunnel interface also.
Regards,
Gabriele
