IPsec Application in the L2VPN or L3VPN Scenario
L2VPN CE Serving as an IPsec Security Gateway
By default, IPsec packets are encrypted and then fragmented. The peer end decrypts the packets after receiving all packets. You can run the ipsec df-bit clear and ipsec fragmentation before-encryption commands to configure the function of fragmentation before encryption. In this way, the peer end decrypts every fragment upon receiving it, thereby accelerating resolution of encrypted packets. However, when this function is employed, the actual payload of a packet may increase.
During transmission of an IPsec packet, the DSCP value in the original IP header cannot be changed.
After the packet is encrypted, the DSCP value in the original IP header is mapped to the DSCP field in the IPsec header. The DSCP value can also be independently set in an outer IP header.
The DSCP value in the original IP header of the encrypted IPsec packet that is decrypted after being transmitted over the MPLS network remains unchanged. During the transmission over the MPLS network, the DSCP value in the outer IP header can also be mapped to the MPLS EXP value.
If the IPsec SA is negotiated based on the DSCP value, the out-of-order packets issue bought by QoS can be addressed.
L3VPN PE Serving as an IPsec Security Gateway
During transmission of an IPsec packet, the DSCP value in the original IP header cannot be changed.
After the packet is encrypted, the DSCP value in the original IP header is mapped to the DSCP field in the IPsec header. The DSCP value can also be independently set in an outer IP header.
The DSCP value in the original IP header of the encrypted IPsec packet that is decrypted after being transmitted over the MPLS network remains unchanged. During the transmission over the MPLS network, the DSCP value in the outer IP header can also be mapped to the MPLS EXP value.
If the IPsec SA is negotiated based on the DSCP value, the out-of-order packets issue bought by QoS can be addressed.
L3VPN CE Serving as an IPsec Security Gateway
After the packet is encrypted, the DSCP value in the original IP header is mapped to the DSCP field in the IPsec header. The DSCP value can also be independently set in an outer IP header.
The DSCP value in the original IP header is mapped to the DSCP value in the IPsec header. The DSCP value in the original IP header of the encrypted IPsec packet that is decrypted after being transmitted over the MPLS network remains unchanged. During the transmission over the MPLS network, the DSCP value in the outer IP header can also be mapped to the MPLS EXP value. After the IPsec packet is decrypted, you can specify the DSCP value in the original IP header.
If the IPsec SA is negotiated based on the DSCP value, the out-of-order packets issue bought by QoS can be addressed.
Devices on the core network implement QoS based on DSCP values. On the bearer network, if supporting the mapping from DSCP to 802.1p, devices can implement QoS based on 802.1p on the Layer 2 bearer network.