Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Behavior for preserving DSCP bit from the inner packet on to the VPN/ESP packets in 6.2 release or later

0

0

Article ID: KB21529 KB Last Updated: 28 Mar 2019Version: 2.0
Summary:
This article provides information on the required behavior for preserving DSCP bit from the inner packet on to the VPN/ESP packets, in ScreenOS release 6.2 or later.
Symptoms:
Behavior for preserving DSCP bit from the inner packet on to the VPN/ESP packets in ScreenOS 6.2 release or later.
Solution:
Starting with the ScreenOS 6.2 code, the behavior changed on how the DSCP bit is copied from the inner packet header to the outer ESP header for ASIC based platforms and appliance devices.

ASIC based platforms:
  1. On ASIC platforms you'll need to configure the envar command set envar ipsec-dscp-mark=yes, so that the ASIC based platforms can copy the inner packet DSCP bit to the outer ESP header.
  2. The envar command is mandatory in the ASIC based platforms, so as to make this work for both policy and route based VPN.
  3. This feature is not supported on the ISG platforms with IDP enabled.
  4. If the firewall is enabled with IPV6 on the ASIC based platforms, then the command set envar ipsec-dscp-mark=yes does not take effect, the DSCP from the inner packet header is not copied to the outer ESP header, and is set to 0.
  5. This is a limitation on the ASIC based platforms, when IPV6 is enabled. You'll need to disable IPV6 through the envar command set envar ipv6=no, to make this work.
  6. If you need to overwrite the DSCP bit on the outer ESP header from the original clear text traffic, then there is a difference in behavior when using policy based VPN versus route based VPN.

In the policy based  VPN, you'll need to set the DSCP value as part of the VPN policy, so that the firewall can overwrite the DSCP value to the one configured on the VPN policy.The end result is both the inner packet DSCP value and ESP DSCP value will be the same. This way you are also overwriting the inner packet DSCP value to the configured value in the VPN policy.

In the route based VPN you'll need to set the DSCP value as part of the VPN configuration, so that the firewall will use that value to add in the ESP header. The command is set vpn <vpn-name> dscp-mark <dscp-value>.  With this command in place, the firewall will change only the ESP DSCP value with the one configured in the VPN, retain the inner the original inner DSCP value as it is, and it will not be changed. The end result is, the inner packet will retain the original DSCP value and the outer ESP header will go by the value set in the 'set vpn' command.

The third option is if you just need to retain the original DSCP value both in the inner packet and the ESP packet, then just set the envar command and do not perform any additional configuration.


For appliance level devices:
  1. In the appliance level devices, the envar command set envar ipsec-dscp-mark=yes is not effective and there is no need to set this command at all.
  2. In the appliance level devices, the DSCDP value from the inner packet is copied over to the outer ESP header, without any additional configuration and it is done with just the basic VPN configuration.
  3. In the appliance level devices, this works fine even when the IPV6 is enabled and does not make any difference.
  4. If you need to overwrite the DSCP bit on the outer ESP header from the original clear text traffic, then the behavior is same as explained above in the ASIC based platform for both policy based and Route based VPN.

The Following table from the Concepts & Examples - ScreenOS Reference Guide - Fundamentals Release 6.3.0, Rev. 01 explains the different conditions:




 
Modification History:
2019-03-14: minor edits.  content re-reviewed for accuracy.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search