Hi guys,
I need you advice. I think I have seen this before and used it but below is an article on alotting band width on the termination end point for the vpn. Say you have an edge internet router that all traffic at your company goes through but of course it is using FIFO and no QOS on the edge internet router. This router is the default route for email, vpn esp traffic, internet for company, public servers and i wanted to put down QOS to guarantee 10 meg or 20 % on that edge router because I feel ipsec is being crushed
due to we are using gre/ipsec and I see the tunnel flapping alot and programmers say lots of latency on their access to their production servers thru or accross vpn ipsec tunnel. and I thing the choking point is on the edge router using FIFO and whene people here at our company do company wide updates on their machine, it seems to joke or create a lot of latency on the production vpn tunnel. So my idea was to create a service policy and place it on the edge router that is the gateway to the interent. then the fiber
switch which i know is wide open. I ask charter for a month analysis util diagram and i do not see a lot of use taking up the pipe but i do see lots of spiking and bursty traffic and i think ipsec is fighting to get in there. so if i create and ipsec service QOS policy on both up and down interfaces applied outward guaranteed for esp source destination both ways 20 % of 50 meg line which is 10 meg for sure which is not dedicated logically. I do not fee they willl have any latency issues.

My question is can you on the transit router and not the termination point of the ipsec do a qos policy and will it be honored.
My first thought is yes but wanted your advice?
makes sense to me that the ipsec is fighting with email, internet, public server traffic due to the bursty and constant competing for link speed, If I were to alot 10 meg up and down for esp traffic source destination it will leave it wide open for ipsec traffic and thus be a logical dedication what do you think will it work or does the service policy neeed to decrypt and encrypt before is sees it?

Configuring QoS for Encrypted Traffic with IPsec* [Cisco IOS IPsec] - Cisco Systems