QoS over VPN

[pointcheck]

What happens to marked packets on the internal network that connect through a Site-to-Site FW-1 VPN? I need to get my external router to make QoS decisions based upon packets that the clients have already marked. Does the firewall just pass them through without modification?

We do not have FloodGate/QoS installed on the firewall(s).

Thanks.

[mcnallym]

I am a little confused by your question.

You are talking about asking the External Router, presumably this is a router outside of the Firewall, making QoS decisions on packets arriving over a VPN?

If this is the case then all that the External Router will see is encrypted packets from the site to site VPN, once these are decrypted then there would be no QoS on the packets.

[pointcheck]

Quote:

Originally Posted by mcnallym

I am a little confused by your question.

You are talking about asking the External Router, presumably this is a router outside of the Firewall, making QoS decisions on packets arriving over a VPN?

If this is the case then all that the External Router will see is encrypted packets from the site to site VPN, once these are decrypted then there would be no QoS on the packets.

Yes, that scenario is correct. For both inbound and outbound packets over the WAN which are VPN site to site, can the router make a QoS decision after the packets traverse FW-1?

[craxnet]

Hi ...
i bet it will not make such sence to let an outgoing router make qos as long you are using a vpn link over the internet for example. the router even cannot read encrypted packets ... so you can only priorisize traffic within your vpn link but the internet providers will garantue nothing for traffic over the internet you rely on.


if u use mpls or atm for example you better ask your provider to mark specific traffic with dscp values ...

[fdamstra]

Quote:

Originally Posted by pointcheck

Yes, that scenario is correct. For both inbound and outbound packets over the WAN which are VPN site to site, can the router make a QoS decision after the packets traverse FW-1?

I can't answer your original question, as I don't know what checkpoint does with the TOS field of a packet that it's going to encrypt. However, I can disagree with the previous posters who said that it doesn't make sense.

In a Cisco world, the DSCP or IPP markings would be propagated upward to that same field of the encrypted packet, which would allow your router to continue to prioritize packets based on its marking, even though the source/destination/payload of those packets would at that point be encrypted. This is a sensible solution, and I would expect that CheckPoint would do the same (but they've been known to surprise me).

Of course, if the VPN is going over the Internet, the ISP's are going to ignore the markings and FIFO the packets, but you can get the benefits of prioritization at your edge routers (where congestion is most likely). If you're going over a private network that understands traffic markings, they should be processed appropriately based on their original tags.