Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Elminate or reduce encryption for VoIP traffic

Hi,

I have a PIX 506 with a 3DES tunnel to a PIX 501. I would like VoIP traffic to tunnel without encryption or at least less encryption.

I was thinking about using tunnel interfaces(i've created 'int tunnel 0' on 2600/1700 routers in the past) because I thought I these could tunnel w/out encrypting data, but is this possible to create tunnel interfaces on PIX's? Also, which ACLs get processed first, IPSec tranform set ACL or tunnel interface ACL?

If the above is not possible can I create a second instance of my 3DES crypto map using a different transform set that has just DES or no encryption associated with them? For that second instance of the crypto map I would obvoiusly just be matching VoIP traffic on it's transform set's ACL.

Please give me some direction.

Thanks,

Mike

3 REPLIES
Silver

Re: Elminate or reduce encryption for VoIP traffic

I am aware that VPN clients support split tunneling which allows Internet destined traffic to be sent unencrypted directly to the Internet. However I am not very sure if this is possible with the PIX.

New Member

Re: Elminate or reduce encryption for VoIP traffic

As you say GRE tunnels are not supported on the Pixes, and the problem with GRE tunnels is that anything you slam down the tunnel gets encrypted anyway.

I think you're on the right track about creating a crypto-map for your VOIP traffic and using an ESP-Null transform-set. Some smart Cisco folks should be able to give you some ideas on throughput using esp-null. The advantage is too, tha althous it isn'e encrypted, it is encapsulated so you still get VPN capability.

New Member

Re: Elminate or reduce encryption for VoIP traffic

Anything you slam down the tunnel gets encrypted, BUT it doesn't get inspected by the Pix's if your tunnel endpoints are beyond them.

I reduced my latency almost 40% by doing that along with QoS.

166
Views
0
Helpful
3
Replies
CreatePlease login to create content