At 09:35 30/05/2005 +0200, Kim Onnel wrote:
>I have a case where I have 2 remote PIXs running 2 IPSec tunnels between them, one for data and the other for voice,
>The voice tunnel introduced delay which affected voice quality, I want to still hide my voice traffic(i.e: ports), so I was thinking of changing the voice tunnel to only only tunnel and not encrypt,
>Is that possible with IPSec, if not how can this be done?

IPsec and VoIP work fine together at the expense of a much higher required bandwidth (due to IPsec headers). This may be your case.

>I've looked at IPsec ESP with null encryption, but with that i guess i willl have my traffic moving in clear text ?

ESP with null encryption will mean that your traffic will be in the clear ;-)

But, for your use, it will also bypass very naive blocking system since the VoIP packets will appear as ESP packets and not as UDP/RTP packets.

>Other ideas i had were to use a GRE tunnel from PIX-to-PIX only for voice, but I knew PIX have little support for GRE, i was thinking of putting 2 BSD PCs behind the PIXs and doing the tunnel between them, but that is not an option either.

Indeed, PIX has no support for GRE.

Please note that you will probably have to do some specific configuration for NAT (in the case of PIX doing also NAT)


>Some people may ask why i am trying to hide my voice ports, my answer is, where i live, the gov. is the telco., disallowing voice except through their high rates, and we want to do business, move with our lives.
>VPN mailing list

VPN mailing list