Announcement

Collapse
No announcement yet.

Cisco IPSEC and QOS

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco IPSEC and QOS

    Hi all
    My routers are connected to a central router (cisco 3800) by two connections(Leased line and Satellite), and I set QOS between my connections.
    Now I want to config them to use IPSEC. In following you can see my config,I have two problems:
    First, Is it possible to set QOS and IPSEC together without problem. does it need some changes in my config, because when I set it timeout and loss packet between them are increased.

    Second, Can I config IPSEC in physical interface and QOS on tunnel?
    Can I config tunnel that first encrypt packet with ipsec then tag with QOS?



    ip domain name lib.org
    ip host PKI.lib.org 172.20.118.5
    crypto pki trustpoint ipsec_lib
    enrollment mode ra
    enrollment url http://pki.lib.org:80//cgi-bin/scep/scep
    serial-number none
    ip-address 10.199.1.1
    password 123456
    subject-name cn=Backup-3845, ou=Security, o=lib, c=org
    crl query ldap://pki.lib.org
    revocation-check none
    rsakeypair 1024-Router1
    |
    crypto pki certificate map certmap 1
    issuer-name co lib.org
    |

    crypto isakmp policy 10
    hash md5
    |
    crypto isakmp profile 121vpn
    ca trust-point ipsec_lib
    match certificate certmap
    |
    crypto ipsec transform-set strong ah-md5-hmac esp-des

    |
    crypto map mymap 10 ipsec-isakmp
    set peer 10.199.1.3
    set transform-set strong
    set isakmp-profile 121vpn
    match address 150
    |

    access list 150 permit ip 10.112.0.128 0.0.0.127 any




    interface Tunnel10011
    description Tunnel to 3845-1 via Leased Line
    bandwidth 64
    ip address 10.199.1.1 255.255.255.252
    ip mtu 1400
    ip tcp adjust-mss 1400
    ip ospf network point-to-point
    ip ospf cost 11
    keepalive 10 3
    tunnel source FastEthernet0/1.100
    tunnel destination 10.229.10.2
    crypto map mymap
    !
    interface Tunnel10012
    description Tunnel to 3845-1 via Sat
    bandwidth 128
    ip address 10.199.1.5 255.255.255.252
    ip mtu 1400
    ip tcp adjust-mss 1400
    ip ospf network point-to-point
    ip ospf cost 23
    keepalive 10 3
    tunnel source FastEthernet0/1.300
    tunnel destination 192.168.254.253


    interface FastEthernet0/0
    description The Gate to the Internal Branch Network
    ip address 10.112.0.126 255.255.255.128
    duplex auto
    speed auto
    service-policy input TOTAL-IN
    !
    interface FastEthernet0/1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet0/1.100
    description Link to MPLS Network
    encapsulation dot1Q 100
    ip address 10.142.15.2 255.255.255.0
    service-policy output FOR-MPLS
    !
    interface FastEthernet0/1.200
    description Link to SAT Network
    encapsulation dot1Q 200
    !
    interface FastEthernet0/1.300
    description Link to SAT Network
    encapsulation dot1Q 300
    ip address 192.168.254.1 255.255.255.0
    service-policy output FOR-SAT
    !
    router ospf 1
    router-id 1.0.0.1
    no log-adjacency-changes
    passive-interface FastEthernet0/0
    passive-interface FastEthernet0/1.100
    passive-interface FastEthernet0/1.300
    network 10.112.0.0 0.0.0.127 area 2
    network 10.199.1.0 0.0.0.3 area 2
    network 10.199.1.4 0.0.0.3 area 2
    network 10.199.1.8 0.0.0.3 area 2
    network 10.199.1.12 0.0.0.3 area 2
Working...
X