I've got my main campus dans a remote site connected with a GRE over IPsec tunnel in tunnel mode. The GRE/IPsec works just fine. My problem is with my outbound policy-map. This one is used to police the traffic to the Bw of the remote site. It got a child policy to do LLQ for the voice traffic matching on precedence 5 since I'm doing qos pre classify.
In the parent policy-map, I'm trying to match only some traffic because this is a router on a stick configuration. It trying to match on ESP from host A to host B where those host are the two vpn gateway. I've got no match in my acl counter. That's bizarre!
Now, I add to my ACL the permit ip any 10.4.0.0 0.0.255.255. This is my remote site IP range. I've got hits !!! That IP should be buried in GRE. GRE should be encapsulated in ESP. How can a outbound QOS policy (it should be applied last on the traffic, after encryption) be able to match on a encrypted IP field inside the packet? That's really really bizarre!!!
Can anyone tell me what I'm missing here?