I have a PIX 506 with a 3DES tunnel to a PIX 501. I would like VoIP traffic to tunnel without encryption or at least less encryption.
I was thinking about using tunnel interfaces(i've created 'int tunnel 0' on 2600/1700 routers in the past) because I thought I these could tunnel w/out encrypting data, but is this possible to create tunnel interfaces on PIX's? Also, which ACLs get processed first, IPSec tranform set ACL or tunnel interface ACL?
If the above is not possible can I create a second instance of my 3DES crypto map using a different transform set that has just DES or no encryption associated with them? For that second instance of the crypto map I would obvoiusly just be matching VoIP traffic/hosts on it's transform set's ACL.
It is possible to tunnel voice traffic without encryption. You will need to configure the crypto access list such that packets with ports used by voice traffic are considered not_interesting. Now voice packets will not qualify as interesting traffic for ipsec and will be passed through unencrypted. Typically can be done by denying TCP ports 1718 through 1720. However, the port numbers used might vary in some vendor implementations. A note of caution though. I dont remember coming across too many configurations of this nature.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...