Knowledge Search


[SRX] IPSec VPN behavior on IP ToS/DSCP field

  [KB29565] Show Article Properties


This article describes the action taken by the SRX gateway on receipt of packets with pre-marked IP ToS/DSCP values that need IPSec encapsulation, as well as on IPSec encapsulated packets that need decapsulation.


How does the SRX handle ToS/DSCP marking for ESP traffic?



IPSec encapsulation:

  •  Pre-marked packets:
    • The SRX will copy the received value of the ToS/DSCP field from the clear-text packet into the IPSec header of the encapsulated packet.

    • No change is done to inner clear-text packet markings.

  •  SRX classification of traffic with CoS rewriting enabled physical VPN egress interface:
    • The SRX will mark the outer header of the encapsulated packet based on the packet classification.

    • Inner clear-text packet will retain any previous ToS/DSCP marking.

IPSec decapsulation:

  •  The SRX does not apply any treatment to the IP ToS/DSCP of the clear-text frame after decapsulating an IPSec packet.
  •  The inner clear-text packet will retain its original IP ToS/DSCP value regardless of the IP ToS/DSCP value contained in the IPSec header.

Related Links: