SRX Services Gateway
SRX Services Gateway

CoS/QoS dual IPSec tunnels

‎01-29-2019 02:56 PM

Hi,

 

Wonder if someone can point me in the right direction with this. Despite much googling and experimenting with iPerf, I am not really getting anywhere with it.

What we have is dual WAN links with two IPSec tunnels per WAN link, so 4 tunnels in total. 

In normal operation, video traffic uses the secondary WAN link IPSec tunnel and the branch traffic uses the primary WAN link. In the event of a WAN link failure, video and branch traffic will be using the same WAN link.

I really need a QoS/CoS policy which will restrict the video traffic IPSec tunnel to 10Mbps and the branch IPSec tunnel to 5Mbps. However, if the WAN links are operating normally, I would like the video traffic to use the full bandwidth of the secondary WAN link and similarly for the branch traffic to use the full available bandwidth of the primary link.

Is this possible using SRX320s?

 

Many Thanks in advance for advice.

2 REPLIES 2
SRX Services Gateway

Re: CoS/QoS dual IPSec tunnels

[ Edited ]
‎01-29-2019 09:59 PM

Hello, martinr

 

Short answer: currently there is not a CoS implementation/configuration that would change dynamically upon the failure of a link/VPN.

 

However, I believe it can be accomplished with a "kind of complex" configuration, see below.

 

Regarding CoS and VPN tunnels in SRX320, starting with Junos OS Release 15.1X49-D100 and Junos OS Release 17.3R1, you can configure CoS on logical tunnels and use it along with st0 interfaces:


      https://www.juniper.net/documentation/en_US/junos/topics/concept/cos-queuing-tunnel-security-overvie...

Also this other documents show how to map CoS forwarding-classes to different SAs on a single VPN tunnel so you could apply different treatment to different types of traffic.

 

     https://www.juniper.net/documentation/en_US/junos/topics/concept/cos-based-ipsec-vpns-with-multiple-...

     https://www.juniper.net/documentation/en_US/junos/topics/example/cos-based-ipsec-vpns-configuring.ht...

 

As mentioned, the problem is that in junos the CoS configuration is fixed and cannot change dynamically in case one of your WAN links fail.

 

What comes to my mind is to create some event-policies to monitor the status of your VPNs and depending on these status, change the CoS configurations accorndingly. This will happen automatically.

 

I created a quick example of how you could change specifc configuration depending on the status of a specific VPN:

 

Topology:

 

 

SRX2-(80.10.10.1)------------Internet-------------(80.10.199.1)-Remote_IPsec_Peer

 

 

Event-policies configuration:

 

  • The action of this policy (set a description on fe-0/0/0) will be triggered when vpn named TEST_VPN goes down.

 

[edit]
root@SRX2# show event-options
policy VPN-DOWN-APPLYNG-COS-CONFIG {
    events kmd_vpn_down_alarm_user;
    attributes-match {
        kmd_vpn_down_alarm_user.vpn-name matches TEST_VPN;
    }
    then {
        change-configuration {
            commands {
                "set interfaces fe-0/0/0 description VPN-IS-DOWN";
            }
        }
    }
}

 

  • The action of this policy (modify the configuration of fe-0/0/0) will be triggered when vpn named TEST_VPN comes up.
policy VPN-UP-DELETING-COS-CONFIG {
    events kmd_vpn_UP_alarm_user;
    attributes-match {
        kmd_vpn_UP_alarm_user.vpn-name matches TEST_VPN;
    }
    then {
        change-configuration {
            commands {
                "set interfaces fe-0/0/0 description VPN-IS-UP";
            }
        }
    }
}

 

  • The following syslog file was created to track the VPN events:
root@SRX2# show system syslog
file VPN {
    any any;
    match kmd;
}

 

Verification:


+No description on interface fe-0/0/0:

 

[edit]
root@SRX2# show interfaces fe-0/0/0

 

+No VPN events (the VPN was up at this moment)

 

[edit]
root@SRX2# run show log VPN
Jan 30 04:41:26 SRX2 clear-log[71769]: logfile cleared

[edit]
root@SRX2# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <2    ESP:3des/sha1   baeebb3b 3407/ unlim   U   root 500   80.10.199.1
  >2    ESP:3des/sha1   f226199  3407/ unlim   U   root 500   80.10.199.1

 

+The VPN went down and a "tunnel down" event was generated for VPN named TEST_VPN

 

[edit]
root@SRX2# run show security ipsec security-associations
  Total active tunnels: 0

[edit]
root@SRX2# run show log VPN
Jan 30 04:41:26 SRX2 clear-log[71769]: logfile cleared
Jan 30 04:42:33  SRX2 kmd[71316]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-TEST_VPN_0002_0007_0000 from 80.10.199.1 is down. Local-ip: 80.10.10.1, gateway name: TEST, vpn name: TEST_VPN, tunnel-id: 2, local tunnel-if: , remote tunnel-ip: Not-Available, Local IKE-ID: 80.10.10.1, Remote IKE-ID: 80.10.199.1, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=192.168.200.0/24)

 

+Becuase of this event, the first policy was triggered:

 

[edit]
root@SRX2# show interfaces fe-0/0/0
description VPN-IS-DOWN;

[edit]
root@SRX2# run show security ipsec security-associations
  Total active tunnels: 0

 

+Later the VPN came up:

 

[edit]
root@SRX2# run show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <2    ESP:3des/sha1   6d5caba6 3213/ unlim   U   root 500   80.10.199.1
  >2    ESP:3des/sha1   2a0739bc 3213/ unlim   U   root 500   80.10.199.1

[edit]
root@SRX2# run show log VPN
Jan 30 04:41:26 SRX2 clear-log[71769]: logfile cleared
Jan 30 04:42:33  SRX2 kmd[71316]: KMD_VPN_DOWN_ALARM_USER: VPN INSTANCE-TEST_VPN_0002_0007_0000 from 80.10.199.1 is down. Local-ip: 80.10.10.1, gateway name: TEST, vpn name: TEST_VPN, tunnel-id: 2, local tunnel-if: , remote tunnel-ip: Not-Available, Local IKE-ID: 80.10.10.1, Remote IKE-ID: 80.10.199.1, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=192.168.200.0/24)

Jan 30 04:45:37  SRX2 kmd[71316]: KMD_PM_SA_ESTABLISHED: Local gateway: 80.10.10.1, Remote gateway: 80.10.199.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.200.0/24), Direction: inbound, SPI: 0x6d5caba6, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:
Jan 30 04:45:37  SRX2 kmd[71316]: KMD_PM_SA_ESTABLISHED: Local gateway: 80.10.10.1, Remote gateway: 80.10.199.1, Local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Remote ID: ipv4_subnet(any:0,[0..7]=192.168.200.0/24), Direction: outbound, SPI: 0x2a0739bc, AUX-SPI: 0, Mode: Tunnel, Type: dynamic, Traffic-selector:

Jan 30 04:45:37  SRX2 kmd[71316]: KMD_VPN_UP_ALARM_USER: VPN INSTANCE-TEST_VPN_0002_0007_0000 from 80.10.199.1 is up. Local-ip: 80.10.10.1, gateway name: TEST, vpn name: TEST_VPN, tunnel-id: 2, local tunnel-if: , remote tunnel-ip: Not-Available, Local IKE-ID: 80.10.10.1, Remote IKE-ID: 80.10.199.1, XAUTH username: Not-Applicable, VR id: 0, Traffic-selector: , Traffic-selector local ID: ipv4_subnet(any:0,[0..7]=0.0.0.0/0), Traffic-selector remote ID: ipv4_subnet(any:0,[0..7]=192.168.200.0/24)

 

+And the last event triggered the second policy:

 

[edit]
root@SRX2# show interfaces fe-0/0/0
description VPN-IS-UP;

 

By monitoring the VPNs you can play with the CoS configuration you want to have applied at a given time. At least now you have an optoin, hope it helps.

 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: CoS/QoS dual IPSec tunnels

‎01-30-2019 04:06 PM

Hi epaniagua,

 

Thank you so so much for your detailed reply. I had a feeling that it might not be possible to do this on an SRX and is probably more suited to a switch.

I think I may have found a compromise using virtual channels where either channel can use the full bandwidth, but if they are both using the bandwidth it is shared equally.