Cisco IPSEC and QOS

[kamal1352]

#155262

Hi all
My routers are connected to a central router (cisco 3800) by two connections(Leased line and Satellite), and I set QOS between my connections.
Now I want to config them to use IPSEC. In following you can see my config,I have two problems:
First, Is it possible to set QOS and IPSEC together without problem. does it need some changes in my config, because when I set it timeout and loss packet between them are increased.

Second, Can I config IPSEC in physical interface and QOS on tunnel?
Can I config tunnel that first encrypt packet with ipsec then tag with QOS?

ip domain name lib.org
ip host PKI.lib.org 172.20.118.5
crypto pki trustpoint ipsec_lib
enrollment mode ra
enrollment url http://pki.lib.org:80//cgi-bin/scep/scep
serial-number none
ip-address 10.199.1.1
password 123456
subject-name cn=Backup-3845, ou=Security, o=lib, c=org
crl query ldap://pki.lib.org
revocation-check none
rsakeypair 1024-Router1
|
crypto pki certificate map certmap 1
issuer-name co lib.org
|

crypto isakmp policy 10
hash md5
|
crypto isakmp profile 121vpn
ca trust-point ipsec_lib
match certificate certmap
|
crypto ipsec transform-set strong ah-md5-hmac esp-des

|
crypto map mymap 10 ipsec-isakmp
set peer 10.199.1.3
set transform-set strong
set isakmp-profile 121vpn
match address 150
|

access list 150 permit ip 10.112.0.128 0.0.0.127 any

interface Tunnel10011
description Tunnel to 3845-1 via Leased Line
bandwidth 64
ip address 10.199.1.1 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1400
ip ospf network point-to-point
ip ospf cost 11
keepalive 10 3
tunnel source FastEthernet0/1.100
tunnel destination 10.229.10.2
crypto map mymap
!
interface Tunnel10012
description Tunnel to 3845-1 via Sat
bandwidth 128
ip address 10.199.1.5 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1400
ip ospf network point-to-point
ip ospf cost 23
keepalive 10 3
tunnel source FastEthernet0/1.300
tunnel destination 192.168.254.253

interface FastEthernet0/0
description The Gate to the Internal Branch Network
ip address 10.112.0.126 255.255.255.128
duplex auto
speed auto
service-policy input TOTAL-IN
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.100
description Link to MPLS Network
encapsulation dot1Q 100
ip address 10.142.15.2 255.255.255.0
service-policy output FOR-MPLS
!
interface FastEthernet0/1.200
description Link to SAT Network
encapsulation dot1Q 200
!
interface FastEthernet0/1.300
description Link to SAT Network
encapsulation dot1Q 300
ip address 192.168.254.1 255.255.255.0
service-policy output FOR-SAT
!
router ospf 1
router-id 1.0.0.1
no log-adjacency-changes
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1.100
passive-interface FastEthernet0/1.300
network 10.112.0.0 0.0.0.127 area 2
network 10.199.1.0 0.0.0.3 area 2
network 10.199.1.4 0.0.0.3 area 2
network 10.199.1.8 0.0.0.3 area 2
network 10.199.1.12 0.0.0.3 area 2

[Author]

Posts