topic IPSec Tunnel QoS in General Topics

IPSec Tunnel QoS

david_scott — Tue, 21 Feb 2012 14:30:45 GMT

I have a PA-2050 running 4.0.7. I have an IPSec tunnel that runs between 2 sites (one is a Palo, the other is ??)

I would like to guarantee some level of bandwidth available for this tunnel, to ensure that it gets a level of priority at least over basic web and streaming traffic.

I'm confused about how to assign this priority.

Here's what I've done, based on the doc "How to Configure Quality of Service (QOS)" for PanOS 3.0.0 and above.

I've created a QoS policy Called "Bandwidth Guarantee", with the source zone being "Untrust" and the source IP being the Internet IP of the remote site. The "Destination" zone is also "untrust", with my internet facing IP as the "Destination address". I've added IPSec and IKE as the applications this guarantee applies to. I assigned it to "Class 1".

Next, I created a QoS network profile called "Rate Guarantee" and assigned Class 1 a "Guaranteed Egress" of 50 mbps, a "Maximum Egress" of 100 mbps, and a priority of "Real Time"

Finally, for network QoS I added my Internet facing ethernet interface (ethernet1/1), enabled QoS, assigned "Clear Text" traffic the default QoS policy, and assigned the "Tunnel Interface Default Profile" to "Rate Guarantee".

Now, I would expect that once I committed this config, that I would be able to look at the QoS statistics and see the traffic from my tunnel being applied to Ethernet1/1...Tunnel Traffic...tunnel1.1...Class 1. However, I see nothing being applied, even though the tunnel is up and functioning.

I'm sure I'm missing something. What am I missing?

Re: IPSec Tunnel QoS

bpappas — Mon, 27 Feb 2012 21:17:27 GMT

QoS is applied to the egress interface.

So if you are trying to guarantee bandwidth to your internal users then you would want to apply this policy to your internal trusted interface with the source zone being the zone applied to the tunnel.

-Benjamin

Re: IPSec Tunnel QoS

jay.martin — Wed, 07 Mar 2012 20:40:43 GMT

bpappas - Please excuse me if I'm wrong, and David certainly correct me if I am, but I think David is asking how to guarantee bandwidth for his IPSec tunnel, not necessarily the traffic that flows over that tunnel. Reason I say I think that's what he's after, is that is exactly what I'm after as well. I want to be able to set QoS such that the IPSec tunnel will always have enough bandwidth to stay up, as we've seen circuits get so saturated that the entire tunnel will drop. At least that's how I read David's question. If I am wrong, please respond to my question as well. Thanks - Jay

Re: IPSec Tunnel QoS

mikand — Wed, 07 Mar 2012 22:43:38 GMT

Since you can setup QoS in PAN using appid's I think it should work to add QoS rule that will prioritize ipsec (or subtypes ipsec-ah, ipsec-esp, ipsec-esp-udp, ike depending on your needs) for the physical interface.

The tricky part here is that QoS only works for egress traffic. To bring QoS for incoming ipsec traffic you would need to do equal stuff in your switch/router which your PAN is connected to.

Re: IPSec Tunnel QoS

david_scott — Thu, 08 Mar 2012 04:07:50 GMT

That's exactly what I'm going for, Jay, thanks.