Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
274
Views
0
Helpful
2
Replies

Interesting Traffic Issue

rameezsardar
Level 1
Level 1

‎02-09-2008 07:07 PM - edited ‎03-09-2019 08:04 PM

Friends,

I have configured two routers for site to site vpn. I want to encrypt all traffic except ospf and voice so i configure access-list you can see below:

ip access-list extended 101

10 deny ospf any any

15 deny ip any any dscp cs5

20 permit ip any any

Note: i configure so that as voice dial-peer match it assign rtp packet dscp value=cs5 means precedence 5

Now problem is when i send ping packets or telnet other router, it don't hit access-list so ipsec tunnel not established. but if i remove line "15 deny ip any any dscp cs5" from access-list then it works fine and tunnel established.

As i mentioned earlier i want to exclude voice rtp packets from ipsec tunnel. access-list looks fine. So please tell what would be the issue?

Best Regards

Ramiz

Labels:
0 Helpful
2 Replies 2

rameezsardar
Level 1
Level 1

‎02-10-2008 03:10 PM

Still Waiting.....

0 Helpful

5220
Level 4
Level 4
In response to rameezsardar

‎02-11-2008 09:45 AM

Hi Ramiz,

That is really interesting indeed.

Can you disable the cef feature on the router(no ip cef) and see if it works?

Another cool way to do this, if the crypto map will not mark the voice traffic, is to apply the crypto map on a loopback interface, then you route the IPSEC + OSPF + Voice on the external interface.

You will have a static pointing to the loopback (or OSPF), but also implement a route map to prevent the voice traffic reaching the loopback, and instead get sent directly on the outside interface.

Rate if this helps.

Regards,

Daniel

0 Helpful
Customers Also Viewed These Support Documents