[j-nsp] Single SRX DSCP writing before traffic is encrypted into IPSec

[Andrew Jones]

Hi,

I've got an SRX240 runing 10.4R4.5 running at a brach site serving as
the site gateway and I figure out a way to write DSCP values before traffic
is encrypted into an IPSec VPN due to the SRX being the only device at the
site. The only place I can apply outbound DSCP marking is on the Interface
that the IPSec VPN lies, since you can't configure dscp rewrites on the
st0.x interfaces. This works okay since the IPSec packet is marked and
scheduled correctly, but once the traffic makes it to the other site and is
decrypted, the DSCP marking is lost and needs to be re-marked again. It also
makes it hard to audit how much traffic is being put into each class when
doing J-Flow exports, or if certain types of traffic are being marked
correctly.

Has anyone else got a similar setup or experienced and fixed this issue? I'm
currently terminating VPN's on the physical interface itself, could I
potentially move this to a vlan.x interface and perform outbound DSCP
marking there?