Guest

Cisco IOS IPsec

Configuring QoS for Encrypted Traffic with IPsec

Configuration Guide


Configuring QoS for Encrypted Traffic with IPsec




Figure 1
Network Diagram

Introduction

This document describes how to configure Quality of Service (QoS) for encrypted traffic. All encrypted traffic sent from the Hub router (Cisco 7200 Series Router) and a spoke router (Cisco 3745 Series Router) receives an output QoS service policy. The QoS is enabled on the public interface, and it examines the traffic before the traffic is encrypted. The policy is configured using the Modular Quality of Service Command Line Interface (MQC).

Prerequisites

The sample QoS configuration is based on the following assumptions:

  • QoS is applied for all IPsec traffic that leaves the public interface.
  • A QoS policy is required only on the outbound.

Components Used

The sample configuration uses the following releases of the software and hardware:

  • Cisco 7200 with Cisco IOS® Software Release 12.2(13)T (C7200-IK9O3S-M)
  • Cisco 3745 with Cisco IOS® Software Release 12.2(8)T5 (C3745-JK9S-M)

Figure 1 illustrates the network for the sample configuration.

The information presented in this document was created from devices in a specific lab environment. All of the devices started with a cleared (default) configuration. If you are working in a live network, it is imperative to understand the potential impact of any command before implementing it.

QoS Configuration Options

The sample configuration minimizes bandwidth guarantees and maximizes bandwidth for all IPsec traffic that leaves the routers. Other traffic on the interface can use the bandwidth that IPsec traffic does not use. IPsec traffic can share the rest of the non-reserved bandwidth. Additional QoS features can be used in the policy map: low latency queuing, traffic shaping, and random early detection.

In the sample configuration, the class-map matches all IPsec traffic leaving the routers. The matching for the traffic is made with ACL 122. Additional matching criteria can be made based the on TOS Bits, the IPsec peer source, and the destination address. The TOS bits for the original packet are copied to the outer IPsec encapsulation, enabling the application of different service policies to different classes for the same destination site, as well as support applications such as voice and video.

The service policy could be applied on the input or on the output to the public interface of both routers. The sample configuration shows the service policy applied to output traffic on the hub and the spoke router.

For additional information about configuring QoS, refer to Cisco IOS Quality of Service Solutions Configuration Guide.

Cisco 7200 VPN Router Configuration

version 12.2
service timestamps debug datetime
service timestamps log datetime
no service password-encryption
!
hostname "c7200-12"
!
ip subnet-zero
ip cef
!
class-map match-any encr-traffic
  match access-group 122
!
!
policy-map output
  class encr-traffic
   bandwidth 256
!
!
crypto isakmp policy 1
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 10.0.30.245
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac
!
crypto map static-crypt 6 ipsec-isakmp
 set peer 10.0.30.245
 set transform-set vpn-test
 match address 101
!
controller ISA 6/1
!
interface FastEthernet0/0
 ip address 10.0.30.212 255.255.255.0
 duplex full
 service-policy output output
 crypto map static-crypt
!
interface FastEthernet1/0
 ip address 10.0.50.212 255.255.255.0
 duplex full
!
ip classless
!
ip route 10.0.149.0 255.255.255.0 10.0.30.245
!
access-list 101 permit ip 10.0.50.0 0.0.0.255 10.0.149.0 0.0.0.255
access-list 122 permit esp any any
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 login
!
!
end

Cisco 3745 VPN Router Configuration

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname c3745-20
!
!
ip subnet-zero
!
!
class-map match-any encr-traffic
  match access-group 122
!
!
policy-map output
  class encr-traffic
   bandwidth 256
!
!
crypto isakmp policy 1
 authentication pre-share
 group 2
crypto isakmp key bigsecret address 10.0.30.212
!
crypto ipsec transform-set vpn-test esp-3des esp-sha-hmac
!
crypto map test 1 ipsec-isakmp
 set peer 10.0.30.212
 set transform-set vpn-test
 match address 101
!
!
interface FastEthernet0/0
 ip address 10.0.149.220 255.255.255.0
 speed 100
 full-duplex
!
interface FastEthernet0/1
 ip address 10.0.30.245 255.255.255.0
 speed 100
 full-duplex
 service-policy output output
 crypto map test
!
!
ip classless
!
ip route 10.0.50.0 255.255.255.0 10.0.30.212
!
access-list 101 permit ip 10.0.149.0 0.0.0.255 10.0.50.0 0.0.0.255
access-list 122 permit esp any any
!
line con 0
 exec-timeout 600 0
line aux 0
line vty 0 4
 login
!
end

Verifying the Results

This section provides information you can use to confirm that your configuration is working properly.

c3745-20#sh policy-map output

Policy Map output

Class encr-traffic

Weighted Fair Queueing

Bandwidth 256 (kbps) Max Threshold 64 (packets)

c3745-20#show policy-map interface fastEthernet 0/1

FastEthernet0/1

Service-policy output: output

Class-map: encr-traffic (match-any)

4583480 packets, 2594249680 bytes

30 second offered rate 10558000 bps, drop rate 0 bps

Match: access-group 122

4583480 packets, 2594249680 bytes

30 second rate 108000 bps

Weighted Fair Queueing

Output Queue: Conversation 265

Bandwidth 256 (kbps) Max Threshold 64 (packets)

(pkts matched/bytes matched) 36941/21794950

(depth/total drops/no-buffer drops) 0/0/0

Class-map: class-default (match-any)

6770567 packets, 3498848396 bytes

30 second offered rate 9550000 bps, drop rate 0 bps

Match: an

c3745-20#sh access-list

Extended IP access list 101

permit ip 10.0.149.0 0.0.0.255 10.0.50.0 0.0.0.255 (931215910 matches)

Extended IP access list 122

permit esp any any (4826174 matches)

The Access-list 101 show matches for traffic to be encrypted, while the access-list 122 show encrypted traffic that have matched the class-map encr-traffic.

Troubleshooting the Configuration

Certain show commands are supported by the Output Interpreter Tool (registered customers only), which analyzes show command output.

Note: Before issuing debug commands, see Important Information about Debug Commands .

  • debug crypto isakmp—Displays errors during Phase 1.
  • debug crypto ipsec—Displays errors during Phase 2.
  • debug crypto engine—Displays information from the crypto engine.
  • debug ip your routing protocol—Displays information about routing transactions of your routing protocol.
  • clear crypto connection connection-id [slot | rsm | vip]—Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. Use the show crypto cisco connections command to see the connection-id value.
  • clear crypto isakmp—Clears the Phase 1 security associations.
  • clear crypto sa—Clears the Phase 2 security associations.

Related Information

IPsec Support Page

An Introduction to IP Security (IPsec) Encryption

Configuring IPsec Network Security

Configuring Internet Key Exchange Security Protocol

Command Lookup Tool (registered customers only)

Technical Support - Cisco Systems