|
IPSec Encapsulating Security Payload(ESP) traffic can be prioritized through the Differentiated Services Code Point marking.
By default, the FortiGate will actually use the same DSCP marking for the 'inside' encapsulated packet, for the outside encrypted packet.
If it is required to change this, first it is required to disable the NPU offloading in the Phase 1 config of the tunnel.
This is possible by executing the following commands:
config vpn ipsec phase1-interface
edit <tunnel>
set npu-offload di
end
Once this is done, can set a specific DSCP marking for this traffic. It can be all zeroes to disable marking.
config vpn ipsec phase2-interface
edit <tunnel>
set phase1name <tunnel>
set proposal aes128-sha256
set diffserv enable <- Make sure the DSCP option is enabled.
set diffservcode 101110 <- Configure the DSCP value.
set src-addr-type name
set dst-addr-type name
set src-name "Test_ESP_local"
set dst-name "Test_ESP_remote
end
Refer to this article for more information on DSCP codes: Technical Tip: Differentiated Services Code Point (DSCP) marking.
|
