New to VoIP: Telephony over IPSec - 1700-to-PIX

Unanswered Question
Aug 24th, 2007

I've got an Avaya G700 phone switch that connects less than ten users to a Cisco 1700 at a remote office; the router has a static IPSec tunnel to my PIX 535 and data communication is fine. However, voice quality is barely there.

Would implementing QoS be enough to improve voice quality - if so, what config guide can help me configure that?

If that doesn't help, is the 1700 too slow a device to handle VoIP via IPSec?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
juscraig Fri, 08/24/2007 - 09:44

Hmm, this can be a bit tricky. And maybe not possible since you are running all this traffic in an encrypted tunnel.

No matter how you mark or tag traffic in that tunnel, it's subject to the BW and CIR constraints of the carrier. I'm not sure of your topology (Tunnel over the internet, Point-to-Point, etc.), but a lot of factors play into this.

Basically, I don't think you can do much in terms of QoS inside an encrypted tunnel.

There are plenty of stories of this working for a path going over seas and traversing the internet; however, there are ZERO guarantess. It's all best effort, and subject to BW and congestion.

drumrb0y Fri, 08/24/2007 - 10:38

To help with the details, this is a VPN tunnel over a local MAN provider on a T-1 circuit; the number of IP phone and data users may only be 2 or 3 at a time at most.

I'm considering replacing the 1711 with a 3602 just in case that the 1711 is bogging down with software encryption and VoIP at the same time...but a 'sh process' indicates that the CPU % isn't above 20% for a 5 minute average. Primarily, I want to know if the 3602 swapout will do any good or is it a waste of effort.

juscraig Fri, 08/24/2007 - 11:31

upgrading to a 3620 isn't going to solve anything. You are doing software encryption on the 1700, and if CPU is fine, the 3620 isn't going to solve anything as it will be doing SW encryption as well.

Seems like a combination of t1 and SW encryption, and the fact the voice traffic is in the tunnel, so it can't be set with priority over the data traffic.

My 2 cents.... Hope it helps.

drumrb0y Fri, 08/24/2007 - 11:37

There is a proposed solution to replace the 1711 with a newer 2820 router with an analog voice/fax module to process the VoIP; considering that the T-1 circuit will be the bottleneck at that point, would you consider this a futile upgrade, even if the 2800 had a hardware encryption module?

juscraig Fri, 08/24/2007 - 11:47

I presume you mean a 2821? HQ Encryption could help and you could exclude the Voice traffic with an ACL I guess.

If it's a Point to Point circuit, you can use QOs, and exclude encryption for Voice. If it's an internet circuit, you want to encrypt anyway and QoS won't matter.

drumrb0y Fri, 08/24/2007 - 11:51

Yeah, it's a 2821; the MAN circuit is on a shared VLAN with 3 other remote offices on that IP segment, so it's going to be IPSec without QoS, then.

They may have to bump the pipe up to 10MB to alleviate this problem.

juscraig Fri, 08/24/2007 - 12:04

well the thing is, the voice traffic is minimal. If there are 3 g729 calls, that's only about 90k. Even if it's G711, it's not a Bandwidth issue.

drumrb0y Fri, 08/24/2007 - 12:15

I guess that takes me back to square one; if a T-1 can handle encrypted voice/data coming out of a 1711, where does the signal quality suffer..?

My phone tech working the Avaya equipment has been banging his head on this wall for a while trying to get these IP phones to function and I'm doing my best to get his traffic into the existing VPN tunnel without degrading.

jkirby Thu, 04/03/2008 - 13:25

Turn off fixup h323 (both h224 and ras) on your PIX. Fixed TONS of VoIP over VPN problems for us.


This Discussion