Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IPSec VPN behavior on IP ToS/DSCP field



Article ID: KB29565 KB Last Updated: 29 Dec 2014Version: 1.0

This article describes the action taken by the SRX gateway on receipt of packets with pre-marked IP ToS/DSCP values that need IPSec encapsulation, as well as on IPSec encapsulated packets that need decapsulation.


How does the SRX handle ToS/DSCP marking for ESP traffic?



IPSec encapsulation:

  •  Pre-marked packets:
    • The SRX will copy the received value of the ToS/DSCP field from the clear-text packet into the IPSec header of the encapsulated packet.

    • No change is done to inner clear-text packet markings.

  •  SRX classification of traffic with CoS rewriting enabled physical VPN egress interface:
    • The SRX will mark the outer header of the encapsulated packet based on the packet classification.

    • Inner clear-text packet will retain any previous ToS/DSCP marking.

IPSec decapsulation:

  •  The SRX does not apply any treatment to the IP ToS/DSCP of the clear-text frame after decapsulating an IPSec packet.
  •  The inner clear-text packet will retain its original IP ToS/DSCP value regardless of the IP ToS/DSCP value contained in the IPSec header.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search