Hi Alex,
Are both VPN peers SRX devices? I'm confirming the possibility of using this feature:
https://www.juniper.net/documentation/en_US/junos/topics/concept/cos-based-ipsec-vpns-with-multiple-ipsec-sa.htmlhttps://www.juniper.net/documentation/en_US/junos/topics/concept/traffic-selectors-and-cos-based-ipsec-vpns.htmlhttps://www.juniper.net/documentation/en_US/junos/topics/example/cos-based-ipsec-vpns-configuring.html#jd0e20 (on this example the configuration is applied on Sunnyvale SRX and the picture of the topology doesn't match with the configuration so don't get confused; I have already submitted the feedback)
Basically with the above feature the SRX will create one SA per Forwarding-Class(FC). Its like mapping a FC to a queue but in this case to a SA. This way you can prioritize traffic being sent via a specific FC-to-SA.
Also note that if your inner-packets are coming to the SRX already tagged (lets say DSCP tagging), the SRX will copy those tags to the outer-packet (the already encrypted packet) being sent.
↧