I have a few site to site VPN's enabled all in tunnel mode. They are all 1700 series so I cannot use the qos pre-classify command. If I change the tunnels to transport mode, I will be able to use Qos features. Will I have to change my configuration at all to accomadate transport mode?
Yes, and in a fairly big way. Using transport mode pre-supposes that the traffic between the sites has already been tunneled by some other means such as GRE. This is a perfectly valid way of doing things, but you will need to read up on using crypto with GRE so that you know what is involved
So, I actually have a config that uses GRE and IPSec vs. just IPSec in tunnel Mode. So, I can actually use transport mode and QoS, since GRE tunnels the packet first and then IPSec is applied, correct? I just need to apply the crypto map to the tunnel interface and the physical interface?
I run the exact same setup that your are wanting to do. I have a HUB VPN router (2621 Series with AIM Encryption Module) and 14 sites running VPN into thta hub router (remote sites have 2621's also).
What you are going to do is create a GRE tunnel between the external interfaces on your routers. It's best to create and verify that the tunnel operates prior to applying a crypto map. Then you are going to modify your IPSEC transform set to use "transport" mode rather than tunnel mode. Once the GRE tunnel is up, and you have created an access-list defining what traffic to encrypt, you can apply the crypto map (to both routers) and encrypt the packets that pass through the tunnel.
After that, setup your QOS and apply that to your tunnel interfaces.
A couple of important things to remember. First, never apply or change an access-list while the crypto map is applied to the tunnel interface. Something freaks out when you do that and it takes the physical interface down so bad that you need to perform a physical reboot. Second, running your system in this manner allows you to do some things that arent possible with IPSEC tunnels...QOS is one of them, but routing is another. You can broadcast your routes out your Tunnel interface and your remote router will pick them up. It's also a good troubleshooting tool. Lets say you apply a crypto map and it doesn't work for some reason. If you can see your remote router getting routing updates, you know your GRE tunnel is up and running, so your problem is narrowed down to a misconfiguration on your IPSEC encryption setup (access-lists usually!).
One last thing, if you plan to router internet traffic through your GRE tunnel (we do because we monitor traffic outbound at our firewall), look up the whitepaper on Cisco's web site about not being able to browse through a GRE tunnel. You might have to add the command "ip tcp mss adjust 1400" to your tunnel interface to enable browsing. Not a big deal really, but it took me some time to figure out my firewall wasn't at fault.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...