02-09-2008 07:07 PM - edited 03-09-2019 08:04 PM
Friends,
I have configured two routers for site to site vpn. I want to encrypt all traffic except ospf and voice so i configure access-list you can see below:
ip access-list extended 101
10 deny ospf any any
15 deny ip any any dscp cs5
20 permit ip any any
Note: i configure so that as voice dial-peer match it assign rtp packet dscp value=cs5 means precedence 5
Now problem is when i send ping packets or telnet other router, it don't hit access-list so ipsec tunnel not established. but if i remove line "15 deny ip any any dscp cs5" from access-list then it works fine and tunnel established.
As i mentioned earlier i want to exclude voice rtp packets from ipsec tunnel. access-list looks fine. So please tell what would be the issue?
Best Regards
Ramiz
02-10-2008 03:10 PM
Still Waiting.....
02-11-2008 09:45 AM
Hi Ramiz,
That is really interesting indeed.
Can you disable the cef feature on the router(no ip cef) and see if it works?
Another cool way to do this, if the crypto map will not mark the voice traffic, is to apply the crypto map on a loopback interface, then you route the IPSEC + OSPF + Voice on the external interface.
You will have a static pointing to the loopback (or OSPF), but also implement a route map to prevent the voice traffic reaching the loopback, and instead get sent directly on the outside interface.
Rate if this helps.
Regards,
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide