Guest

Cisco IOS IPsec

Configuring Per Site QoS with IPsec VPN

Hierarchical Navigation

Downloads

Configuration Guide

Configuring Per Site QoS for IPSec VPN using GRE Tunnel



Figure 1
Network Diagram

Introduction

This document describes how to configure Quality of Service (QoS) for traffic encrypted and carried over a GRE tunnel between a Hub router (Cisco 7200 Series Router) and a spoke router (Cisco 3745 Router). QoS provides the tools for managing congestions and guarantees bandwidth to a specific site.

Prerequisites

The sample QoS configuration is based on the following assumptions:

  • The IPsec peer destination address is static.
  • QoS service policy is required only on the outbound.
  • GRE Tunnel is used to encapsulate the IPsec traffic.

Components Used

The sample configuration uses the following releases of the software and hardware:

  • Cisco 7200 with Cisco IOS® Software Release 12.2(13)T (C7200-IK9O3S-M)
  • Cisco 3745 with Cisco IOS® Software Release 12.2(8)T5 (C3745-JK9S-M)

Figure 1 illustrates the network for the sample configuration.

The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to understand the potential impact of any command before implementing it.

QoS Configuration Options

The sample configuration minimizes bandwidth guarantees and maximizes bandwidth policing. Additional QoS features that can be used in the policy map include low latency queuing, policing, and random early detection.

In the sample configuration, the class-map matches the peer destination address only. The TOS bits for the original packet are copied to the outer IPsec encapsulation. Additional matching criteria can be created, based on the TOS bits. This enables the application of different service policies to different classes for the same destination site, as well as support applications such as voice and video.

The service policy can be applied on internal or external interfaces to the hub or the spoke routers, and for the input or output traffic. The sample configuration shows the service policy applied to output traffic on the hub router.

For additional information about configuring QoS, refer to Cisco IOS Quality of Service Solutions Configuration Guide.

Cisco 7200 VPN Router Configuration

!
version 12.2
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
!
hostname "c7200-12"
!
!
ip subnet-zero
ip cef
!
class-map match-any site1
match access-group 120
! Additional Class-map for other sites can be added here
!
policy-map output
class site1
bandwidth 200
police cir 5000000
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key bigsecret address 10.0.30.245
!
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac
!
!
crypto map static-crypt 6 ipsec-isakmp
set peer 10.0.30.245
set transform-set vpn-test
match address 101
!
!
controller ISA 6/1
!
!
interface Tunnel1
ip unnumbered FastEthernet0/0
ip mtu 1440
tunnel source FastEthernet0/0
tunnel destination 10.0.30.245
crypto map static-crypt
!
interface FastEthernet0/0
ip address 10.0.30.212 255.255.255.0
duplex full
service-policy output output
crypto map static-crypt
!
interface FastEthernet1/0
ip address 10.0.50.212 255.255.255.0
duplex full
!
ip classless
ip route 10.0.149.0 255.255.255.0 Tunnel1
!
!
access-list 101 permit ip 10.0.50.0 0.0.0.255 10.0.149.0 0.0.0.255
access-list 120 permit ip host 10.0.30.212 host 10.0.30.245
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
login
!
!
end

Configuring the Cisco 3745 VPN Router

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
!
hostname c3745-20
!
!
ip subnet-zero
!
!
!
class-map match-any hub
match access-group 120
!
!
policy-map mqcp
class hub
bandwidth 200
police cir 5000000
!
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key bigsecret address 10.0.30.212
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac
!
crypto map test 1 ipsec-isakmp
set peer 10.0.30.212
set transform-set vpn-test
match address 101
!
!
!
interface Tunnel1
ip unnumbered FastEthernet0/1
ip mtu 1440
tunnel source FastEthernet0/1
tunnel destination 10.0.30.212
crypto map test
!
interface FastEthernet0/0
ip address 10.0.149.220 255.255.255.0
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 10.0.30.245 255.255.255.0
speed 100
full-duplex
service-policy output mqcp
crypto map test
!
ip classless
ip route 10.0.50.0 255.255.255.0 Tunnel1
!
!
access-list 101 permit ip 10.0.149.0 0.0.0.255 10.0.50.0 0.0.0.255
access-list 120 permit ip host 10.0.30.245 host 10.0.30.212
!
!
line con 0
line aux 0
line vty 0 4
login
!
end

Verifying the Results

This section provides information you can use to confirm that your configuration is working properly.

c3745-20#show policy-map

Policy Map mqcp

Class hub

Weighted Fair Queueing

Bandwidth 200 (kbps) Max Threshold 64 (packets)

police cir 5000000 bc 156250

conform-action transmit

exceed-action drop

c3745-20#show policy-map interface fastEthernet 0/1

FastEthernet0/1

Service-policy output: mqcp

Class-map: hub (match-any)

14184215 packets, 8154177518 bytes

30 second offered rate 11005000 bps, drop rate 0 bps

Match: access-group 120

14184214 packets, 8154176952 bytes

30 second rate 11005000 bps

Weighted Fair Queueing

Output Queue: Conversation 265

Bandwidth 200 (kbps) Max Threshold 64 (packets)

(pkts matched/bytes matched) 2384005/1406554530

(depth/total drops/no-buffer drops) 0/0/0

police:

cir 5000000 bps, bc 156250 bytes

conformed 6617799 packets, 3802881934 bytes; actions:

transmit

exceeded 7566416 packets, 4351295584 bytes; actions:

drop

conformed 5000000 bps, exceed 6004000 bps,

Class-map: class-default (match-any)

6496404 packets, 3325859178 bytes

30 second offered rate 0 bps, drop rate 0 bps

Match: any

c3745-20#show access-list

Extended IP access list 101

permit ip 10.0.149.0 0.0.0.255 10.0.50.0 0.0.0.255 (1103479860 matches)

Extended IP access list 120

permit ip host 10.0.30.245 host 10.0.30.212 (561133541 matches)

Troubleshooting the Configuration

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which analyzes show command output.

Note: Before issuing debug commands, see Important Information about Debug Commands .

  • debug crypto isakmp—Displays errors during Phase 1.
  • debug crypto ipsec—Displays errors during Phase 2.
  • debug crypto engine—Displays information from the crypto engine.
  • debug ip your routing protocol—Displays information about routing transactions of your routing protocol.
  • clear crypto connection connection-id [slot | rsm | vip]—Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. Use the show crypto cisco connections command to see the connection-id value.
  • clear crypto isakmp—Clears the Phase 1 security associations.
  • clear crypto sa—Clears the Phase 2 security associations.

Related Information

IPsec Support Page

An Introduction to IP Security (IPsec) Encryption

Configuring IPsec Network Security

Configuring Internet Key Exchange Security Protocol

Command Lookup Tool (registered customers only)

Technical Support - Cisco Systems