QOS and GRE over IPsec

Unanswered Question
Jan 8th, 2009


I've got my main campus dans a remote site connected with a GRE over IPsec tunnel in tunnel mode. The GRE/IPsec works just fine. My problem is with my outbound policy-map. This one is used to police the traffic to the Bw of the remote site. It got a child policy to do LLQ for the voice traffic matching on precedence 5 since I'm doing qos pre classify.

Problem :

In the parent policy-map, I'm trying to match only some traffic because this is a router on a stick configuration. It trying to match on ESP from host A to host B where those host are the two vpn gateway. I've got no match in my acl counter. That's bizarre!

Now, I add to my ACL the permit ip any This is my remote site IP range. I've got hits !!! That IP should be buried in GRE. GRE should be encapsulated in ESP. How can a outbound QOS policy (it should be applied last on the traffic, after encryption) be able to match on a encrypted IP field inside the packet? That's really really bizarre!!!

Can anyone tell me what I'm missing here?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dominic.caron Fri, 01/09/2009 - 12:31

QOS pre-classify only copy the inside TOS to the outside header. That would explain why inner policy-map is doing it's job. I can match on ip precedence there but not on udp port.

My question is more about the outbound parent policy. Since the packet are IPSec, I should match on esp packets. Problem is, I'm matching on the encrypted IPs.

Still, my link is working fine. The way I see this, it could be a cosmetic bug issue or something related to the configuration of my GRE tunnel. The traffic is entering the router and leaving by the same physical interface. That interface is the source interface of the GRE tunnel and encryption is put on that interface. It's a bit messy.

The next step might be to move the source of the GRE tunnel to a loopback interface. What do you think? I cant add a new physical interface because all the other slot are populated by links from my other remotes sites.

Giuseppe Larosa Sat, 01/10/2009 - 09:47

Hello Dominic,

>> The traffic is entering the router and leaving by the same physical interface.

probably you are in very specific case.

However, I think that QoS preclassify does more then copying TOS to outside header for the simple reason that even without qos-preclassify this happens in most scenarios for example we used it on a Cisco 877 with IPSec/GRE tunnel.

About making changes if you haven't the additional interface I don't see any reason to do it.

(golden rule: works ? don't touch it)

Hope to help



This Discussion