FEC Onlineservices
 
Prioritising of certain IP packets within an IPSec tunnel
The following Example shows the prioritising of certain IP packets within an IPSec tunnel with IPSec-Version 7.1.12p1.

Scenario:

Each location has internet access and is connected via an IPSec tunnel.

1. IPSec configuration at the router in the branch office (VPN Access 25):
For this configuration a virtual IPSec Interface is necessary. Through this you have the benfit by having the Interface available for the configuration of Quality of Service (QoS).

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT]: Configure Peer                                      vpn25
_______________________________________________________________________________

     Description:       Zentrale
     Admin Status:      up        Oper Status:   up

     Peer Address:      62.63.64.65
     Peer IDs:          62.63.64.65
     Pre Shared Key:    *

     IPSec Callback >
     Peer specific Settings >

     Virtual Interface: yes
     Interface IP Settings >

                          SAVE                          CANCEL
_______________________________________________________________________________
In the menu "Interface IP Settings" the routing for the IPSec connection is defined.

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[IPSEC][PEERS][EDIT][IP][BASIC]: IP-Settings (Zentrale)                   vpn25
_______________________________________________________________________________

  IP Transit Network                   no

  Local IP Address                     192.168.150.1

  Default Route                        no

  Remote IP Address                    192.168.44.0
  Remote Netmask                       255.255.255.0

                    SAVE                               CANCEL
_______________________________________________________________________________
2. VoIP configuration at the router in the branch office:
The services Proxy and Gatekeeper have to be started (running).

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[VOIP][GK][GLOBAL]: VoIP Gatekeeper Global Configuration                  vpn25
_______________________________________________________________________________

     Gatekeeper ID                         vpn25
     Interface with limited Bandwidth      none
     Max. Bandwidth (KBits/s)              5
     Bandwidth per Call (KBits/s)          5
     Type of Call Routing                  dynamic
     Type of Registration                  unrestricted
     Location Policy                       relaxed
     Time to Live (sec)                    120
     IRRfrequency (sec)                    60
     Max. # of Entries in Call History     25
     H.323 Gateway
     Alternate Gatekeeper (Priority 0) 62.63.64.65
     Alternate Gatekeeper (Priority 1)
     Alternate Gatekeeper (Priority 2)

                    SAVE                               CANCEL
_______________________________________________________________________________
As "Alternate Gatekeeper" the IP address of the router at the central site has to be entered because it also has to be configured as VoIP Gateway.

In the menu "Gatekeeper User Table" the H.323 user are configured.

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[VOIP][GK][USER TABLE]: Configure Gatekeeper User Table                   vpn25
_______________________________________________________________________________

  Username                  Alias             E.164 #     IP Address

  Herbert                   Herbert           4711        192.168.44.100
  ip200                     ip200             4712        192.168.150.100

     ADD                 DELETE              EXIT
_______________________________________________________________________________
3. QoS configuration at the router in the central office:

1) IP Filter

The filter has to be configured definite to get the classification and prioritisation working within the IPSec tunnel.
In this example the TOS field is adopted by the IP telephone (IP200). The value is set to 1C (hexadecimal) by default. This value has to be configured binary at the router (00011100).

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[QOS][FILTER][USER TABLE][EDIT]                                           vpn25
_______________________________________________________________________________

  Description                 VoIP
  Index                       1

  Protocol  any

  Source Address
  Source Mask

  Destination Address
  Destination Mask

  Type of Service (TOS)       00011100                   TOS Mask  11111111

                    SAVE                               CANCEL
_______________________________________________________________________________

2) IP Classification and Signalling

The classification of these packets takes place in incoming direction.

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[QOS][CLASS][EDIT]                                                        vpn25
_______________________________________________________________________________

     Index                    1

     Filter                   VoIP (1)
     Direction                incoming

     Action                   classify (keep TOS) M

     Classification >
     Signalling (TOS) >

     Next Rule                none

                    SAVE                               CANCEL
_______________________________________________________________________________
This packets should be classified as "high priority".

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[QOS][CLASS][EDIT][CLASS]: Configure IP QoS Classification                vpn25
_______________________________________________________________________________

     Class Type          high priority

                         OK                            CANCEL
_______________________________________________________________________________

3) Interfaces and Policies

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[QOS][INTERFACES]: Enable IP QoS Classification and Policies              vpn25
_______________________________________________________________________________

  Interface       First Rule     First Filter         Scheduler   TxRate Limit

  T-DSL             no IP QoS classification
  Zentrale          no IP QoS classification          PQ
  en0-1             1              1   (VoIP)
  en0-1-snap        no IP QoS classification
  en0-2             no IP QoS classification
  en0-2-snap        no IP QoS classification
  en0-3             no IP QoS classification
  en0-3-snap        no IP QoS classification

  EXIT
_______________________________________________________________________________
At Ethernet-Interface en0-1 the classification of the packets takes place.

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[QOS][INTERFACES][EDIT]                                                   vpn25
_______________________________________________________________________________

     Interface                           en0-1

     IP QoS Classification via           RI 1   FI 1   (VoIP)

     QoS Scheduling and Shaping >
     Class-Based QoS Policies >

                    SAVE                               CANCEL
_______________________________________________________________________________
The prioritisation of the classified packets takes place at the virtual IPSec interface of the "Central".

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[QOS][INTERFACES][EDIT]                                                   vpn25
_______________________________________________________________________________

     Interface                          Central

     IP QoS Classification via          none

     QoS Scheduling and Shaping >
     Class-Based QoS Policies >

                    SAVE                               CANCEL
_______________________________________________________________________________
The prioritisation of the packets happens on the basis of the algorithm "priority queueing".

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[QOS][INTERFACES][EDIT][SCHEDULER]: Configure QoS Scheduling and Shaping  vpn25
_______________________________________________________________________________

     Queueing and Scheduling Algorithm  priority queueing (PQ)

     Specify Traffic Shaping            no

                         OK                            CANCEL
_______________________________________________________________________________
The queue "high priority" has to be added to the policy list to be regarded.

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[QOS][INTERFACES][EDIT][POLICY]: Configure QoS Policies                   vpn25
_______________________________________________________________________________

    Configure QoS Policies

    Type            ID      Tx Rate    Limitation

    high priority           0          bounded
    default                 0          not bounded

     ADD                 DELETE              EXIT
_______________________________________________________________________________
4. Test:
VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[VOIP][MONITORING][REGISTERED USERS]: Show Gatekeeper Registered Users    vpn25
_______________________________________________________________________________

  Username             Alias             E.164 #         IP Address

                       ip200             4712            192.168.150.100  
                       vpn100@Bintec-Sup                 62.63.64.65
                       Herbert           4711            192.168.44.100


  EXIT
_______________________________________________________________________________
The H.323 user in the branch office (ip200) calls a H.323 user in the central site (Herbert).

VPN Access 25 Setup Tool                            BinTec Access Networks GmbH
[VOIP]..[ACTIVE CALLS]: Show Gatekeeper/Proxy routed active calls         vpn25
_______________________________________________________________________________

  Calling Party    E.164 #       Called Party     E.164 #       Time

                                 Herbert          4711           3:23:20


  EXIT
_______________________________________________________________________________
5. Checkup:
Currently a check of the QoS statistik is only possible via MIB tables. Starting with Image 7.2.1 the SETUP tool contains a  control option.

vpn25:> qospolicystattable
inx IfIndex(*ro)             Type(ro)                 ClassId(ro)
    OutPkts(ro)              OutOctets(ro)            PktsQueued(ro)
    OctetsQueued(ro)         PktsDropped(ro)          OctetsDropped(ro)
    State(rw)

 00 100001                   high_priority            0
    8199                     739478                   0
    0                        0                        0
    running

 01 100001                   default                  0
    13732                    848300                   0
    0                        0                        0
    running

vpn25:>
The table "qospolicystattable" shows the statistic for both queues "high priority" and "default".
The values in the "high priority" queue increasing continuous as soon a H.232 conversation takes place.  The value 100001 (IfIndex) means the virtual IPSec interface.

vpn25:> ifstat
Index  Descr        Type Mtu  Speed St Ipkts   Ies Opkts   Oes PhyAddr/ChgTime

000100 en0-1        eth  1500  100M up 27104   0   23084   0   00:a0:f9:06:5b:6b

010001 T-DSL        ppp  1492  128K up 26821   0   26892   0     0 00:00:11
100001 Zentrale     tunn 1418   10M up 16049   0   22345   5     0 00:00:14
  total: 18
vpn25:>
2013 bintec elmeg GmbH