Hello
I have an IPSEC tunnel between 2 offices. Our provider honors DSCP bits and I want to mark packets based on their priority. But then the packets go into the tunnel and their headers are not visible to the provider’s routers. How can I copy DSCP flags to the outer tunnel packet headers?
Same thing here. Too bad that 11 years had passed and not one reply… Good thing is that I have the same doubt. I am marking my packets with DSCP before IPSEC, but the IP header of IPSEC does not show any DSCP at all…
That’s strange, because I use the inheritance of DSCP value from the payload to IPsec transport packets routinely, and I’ve just tried the same on 6.46.7 (the current long-term as f writing this), and it works too. In my test case, I am setting the DSCP field of the ICMP packets sent by the router itself (in mangle chain output) e.g. to 46, and sniffing shows the ESP packets transporting them have that value:
[me@myTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=output action=change-dscp new-dscp=46 protocol=icmp
0 time=5.908 num=1 direction=tx src-mac=00:15:5D:FC:E9:01 dst-mac=00:15:5D:FC:E9:06 interface=ether1 src-address=192.168.227.11 dst-address=192.168.227.13 protocol=ip ip-protocol=ipsec-esp size=134 cpu=0 fp=no ip-packet-size=120 ip-header-size=20 dscp=46 identification=27223 fragment-offset=0 ttl=64
Changing the new-dscp value to 34 in the mangle rule leads to change in the ESP packet, so the 46 wasn’t just a lucky shot.
So what are your particular settings where it does not work?
Slight detail: I use not only IPSEC, but L2TP+IPSEC. I gave for granted that the “inherit” property of IPSEC regarding the DSCP being copied to the IP header was going to work also with L2TP+IPSEC.
When I received the ICMP packet I mark it with DSCP X with a prerouting mangle rule, then it is encapsulated and sent inside the tunnel, but when I capture packets of the L2TP tunnel the DSCP X is nowhere to be found.
chain=prerouting action=change-dscp new-dscp=1 passthrough=yes protocol=icmp log=no
log-prefix=""
Well, that’s a huge “detail” 
I assume it’s due to the complexity of the PPP (multiple control protocol streams along with the transport one(s) ) that the DSCP is not inherited from the payload to the PPP transport packets, so it cannot be inherited further to the ESP packets transporting the PPP ones. So if you want to avoid the policy-based routing of bare IPsec, use an IPsec-encrypted IPIP or GRE tunnel, where the DSCP inheritance works all the way (if dscp=inherit is set in the /interface ipip resp. /interface gre configuration). If you need to traverse NAT, you may have to configure the IPsec layer manually.
Yeah, sorry, I should’ve mentioned it earlier… L2TP is a request in this project, so I will have to think about some other way… Thanks!!
It does not work with L2TP/IPsec, but it does work with GRE/IPsec (when you set the DSCP option to “inherit”).