Qos on Fortigate and IPSEC VPN

Cglobal71 · ‎05-05-2017

Hello, I allow to contact you because I shall need help.

I have at present a VPN IPSEC between two Fortigates. On every sites, there is a PABX with a connection between both.

They use the connection vpn to make "internal" calls between both sites.

The person receiving benefits of the PABX asks us to apply of the QOS to limit flows.

Here is only what he gave to me:

Click the image to enlarge it Have you an idea for the configuration to be applied to limit the bandwidth to use only by every PABX? Thank you in advance

emnoc · ‎05-05-2017

DSCP tagging in a encapsulated tunnel does no good imho, but you have a few items to contend with

1: are you wanting QoS as in layer3 header marking mixups

or

2: are you wanting traffic-prioritizing for VoIP vrs other traffic that resides in the tunnel ?

For #1, if you want to mangle and mixup the DCSP/TOS values in the ip_header just do it at the fwpolicy.

check out my blog post on how you could do that;

http://socpuppet.blogspot...te-tosdscp-markup.html

If you want to prioritize traffic which is probably better overall, deploy a traffic-shaper with the high queue

config firewall policy

edit < your traffic policy for the VOIP >

set traffic-shaper <SHAPE1>

or

set per-ip-shaper <SHAPE1>

e.g

config firewall shaper traffic-shaper

edit "SHAPE1"

set priority high

And now when that's applied at the fwpolicy level the PQ high would apply before medium and low.

Alternative, You could use a combination of TOS/DSCP and values and set PQ for those values or assign queues.

e.g

config system dscp-based-priority

edit 1

set ds 46

set priority high

That would define EF as high priority queue.

YMMV but you have many options.

Ken

PCNSE

NSE

StrongSwan