IOS IPSec implementation copies original TOS field value into the new IP header TOS field. However, PIX and VPN concentrators don't do so (just set to '0'); it means that you cannot preserve any classification settings if crossing an IPSec device wich is a PIX or a VPN concentrator (btw, both 3000 and 5000 series). IOS let you classify, apply IPSec and shape/queue.