Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Voice and IPSEC Tunnels

In case I am using a DMVPN with IPSEC technology for branch connectivity , ISP wont know what kind of traffic I am running since it is encrypted ultimately .

Using DMVPN packet is first encapsulated in GRE and then encrypted with IPSEC credentials . Because the ultimate traffic is IPSEC it requires ISP/Service provider to let port UDP 500 and ESP opened up . Once the tunnel is created I can pass any type of traffic since it is going using ESP .

Having this in mind I have seen a few deployments where we implemented this kind of solution and voice traffic was not passing and ip phones were not able to register itself . Most of the guys pointed out that it could possibly be because iSP is blocking SCCP traffic but my concern is that if we have an IPSEC tunnel from branch to headoffice how can the ISP detect that thing and drop it .

Please provide some input on this .

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Voice and IPSEC Tunnels

The provider can't see inside the tunnel. He only could assume that it could be voice-traffic:

The Voice-endpoints set the DSCP-value in the IP-header when they send the traffic. These values are copied to the outer IP-header when the traffic is encrypted. With that function you can do QoS also on encrypted traffic.

But I don't think that a provider would filter on that traffic.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
1 REPLY
VIP Purple

Voice and IPSEC Tunnels

The provider can't see inside the tunnel. He only could assume that it could be voice-traffic:

The Voice-endpoints set the DSCP-value in the IP-header when they send the traffic. These values are copied to the outer IP-header when the traffic is encrypted. With that function you can do QoS also on encrypted traffic.

But I don't think that a provider would filter on that traffic.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
168
Views
0
Helpful
1
Replies
CreatePlease login to create content