Skip to main content
jfgagnon
jfgagnon
New Member
May 18, 2018
Question

VPN ipsec DSCP trust

  • May 18, 2018
  • 3 replies
  • 6597 views

Hi!

 

I'm wondering if it's possible to pass the DSCP value throught the VPN tunnel. 

 

Like, if an VoIP subnet mark it's packets with a defined DSCP value, and route those packets throught the VPN, I would want them to keep their DSCP value and classified shaped when they arrived on the other firewall.

 

I found out this setting on the policies "set dscp-match enable", but can't find any documentation on it, I was hoping it was the equivalent to a trust DSCP.

 

Thanks!

 

      3 replies

      emnoc
      emnoc
      New Member
      May 18, 2018

      Yes you can do that in  the firewall.policy remember  the internet will not see your DSCP setting muchless even care.

      check out my  blog post a few years back about marking l3 dscp values

       

      http://socpuppet.blogspot.com/2015/02/howto-fortigate-tosdscp-markup.html

       

      Toshi_Esumi
      SuperUser
      Toshi_Esumi
      SuperUser
      May 18, 2018

      This is what you're looking for if it's 5.4. This part of QoS/Traffic Shaping feature should be the same with 5.2 although 5.4 has introduced a separate "shaping-policy" so if you want to do shaping, refer to the traffic shaping handbook for a proper version.

      http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-traffic-shaping-54/TS_Configuration/TS_Diff_Services.htm

       

      Atul_S
      Staff & Editor
      Atul_S
      Staff & Editor
      May 11, 2022

      FortiGate Differentiated Services feature can be used to change the DSCP (Differentiated Services Code Point) value for all packets accepted by a policy. The network can use these DSCP values to classify, mark, shape, and police traffic, and perform intelligent queuing.


      DSCP features are applied to traffic by configuring the FortiGate to apply different service levels to packets depending on the DSCP value of the packet.

       

      Having said that, If diffserv is disabled in the IPsec phase2 configuration, then the ESP packets' DSCP value is copied from the inner IP packet DSCP and If diffserv is enabled in the IPsec phase2 configuration, then ESP packets' DSCP value is set to the configured value.

       

      Please note that Offloading traffic to the NPU must be disabled for the tunnel in phase1 if you want to customize the DSCP values.

       

      Example:

      1. Configure the phase1-interface:

        config vpn ipsec phase1-interface     edit "s2s"         set interface "wan1"         set peertype any         set net-device disable         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set npu-offload disable         set dhgrp 14 5         set wizard-type static-fortigate         set remote-gw 173.1.1.1         set psksecret ***********     next end

      2. Configure the phase2-interface:

        config vpn ipsec phase2-interface     edit "s2s"         set phase1name "s2s"         set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305         set dhgrp 14 5         set diffserv enable         set diffservcode 000111         set src-addr-type name         set dst-addr-type name         set src-name "s2s_local"         set dst-name "s2s_remote"     next end

       

      Thanks

       

      Terms & ConditionsAccessibility statement