Interesting Traffic Issue

Unanswered Question
Feb 9th, 2008

Friends,

I have configured two routers for site to site vpn. I want to encrypt all traffic except ospf and voice so i configure access-list you can see below:

ip access-list extended 101

10 deny ospf any any

15 deny ip any any dscp cs5

20 permit ip any any

Note: i configure so that as voice dial-peer match it assign rtp packet dscp value=cs5 means precedence 5

Now problem is when i send ping packets or telnet other router, it don't hit access-list so ipsec tunnel not established. but if i remove line "15 deny ip any any dscp cs5" from access-list then it works fine and tunnel established.

As i mentioned earlier i want to exclude voice rtp packets from ipsec tunnel. access-list looks fine. So please tell what would be the issue?

Best Regards

Ramiz

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Daniel Voicu Mon, 02/11/2008 - 09:45

Hi Ramiz,

That is really interesting indeed.

Can you disable the cef feature on the router(no ip cef) and see if it works?

Another cool way to do this, if the crypto map will not mark the voice traffic, is to apply the crypto map on a loopback interface, then you route the IPSEC + OSPF + Voice on the external interface.

You will have a static pointing to the loopback (or OSPF), but also implement a route map to prevent the voice traffic reaching the loopback, and instead get sent directly on the outside interface.

Rate if this helps.

Regards,

Daniel

Actions

This Discussion