I have configured two routers for site to site vpn. I want to encrypt all traffic except ospf and voice so i configure access-list you can see below:
ip access-list extended 101
10 deny ospf any any
15 deny ip any any dscp cs5
20 permit ip any any
Note: i configure so that as voice dial-peer match it assign rtp packet dscp value=cs5 means precedence 5
Now problem is when i send ping packets or telnet other router, it don't hit access-list so ipsec tunnel not established. but if i remove line "15 deny ip any any dscp cs5" from access-list then it works fine and tunnel established.
As i mentioned earlier i want to exclude voice rtp packets from ipsec tunnel. access-list looks fine. So please tell what would be the issue?