We have an environment with about 120 STS VPN sites. Each site terminates IPSec on an ipsecdist router that is in a DMZ. Each site also terminates a GRE tunnel on a vpndist router that is on our trusted network. Currently, QoS is applied outbound on the tunnel interfaces on the vpndist routers.
The issue we are having with the current configuration is the policy map and shaping polices are not accounting for the 52 bytes that are added after the packet leaves the vpndist router and gets encapsulated in IPSec by the ipsecdist router.
Is there a QoS mechanism that we can use to instruct the vpndist router to add 52 bytes to each packet before calculating the bandwidth percentages in the policy map and the overall rate in the shaping policy?