QoS on encrypted connection over DSL

Hi!

I configured a 1841 with a dialer interface (ADSL with PPPoE) to the internet. Then I set up an second router at another site with the same config. After that configured an ipsec tunnel between the two sites by using a crypto map.

Everything works great so far, but then I try to setup QoS by defining a policy map and attaching it to the outgoing interface. But that does not work, because the access lists don't seem to match outgoing either in the dialer nor in the etherenet interface (they only match, when i use the ACLS as an ip access group directly on the incoming ethernet interface).

I urgently need QoS on the tunnel and am desperately looking for a solution! I attached the config of one router. Thanks for your help!

----------------- snip ------------------- version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname vpn-w01 ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 4096 debugging enable secret 5 XXXXX ! no aaa new-model clock timezone Berlin 1 clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00 no ip source-route ip cef ! ! ip inspect tcp idle-time 28800 ip inspect name INSPECTION cuseeme ip inspect name INSPECTION ftp ip inspect name INSPECTION h323 ip inspect name INSPECTION icmp ip inspect name INSPECTION netshow ip inspect name INSPECTION rcmd ip inspect name INSPECTION realaudio ip inspect name INSPECTION rtsp ip inspect name INSPECTION esmtp ip inspect name INSPECTION sqlnet ip inspect name INSPECTION streamworks ip inspect name INSPECTION tftp ip inspect name INSPECTION tcp ip inspect name INSPECTION udp ip inspect name INSPECTION vdolive ip inspect name INSPECTION ssh ip tcp synwait-time 10 ip tcp path-mtu-discovery ! ! ip ips notify SDEE no ip bootp server ip domain name autohaus-holzer.de ip name-server 194.25.2.129 ip ssh source-interface Vlan1 ! ! ! username admin privilege 15 password 7 01121409521F070824 ! ! class-map match-all terminalserver match access-group 100 class-map match-all vaudis match access-group 101 class-map match-all ipsec match protocol ipsec ! ! policy-map vw-policy class terminalserver bandwidth percent 30 class vaudis bandwidth percent 30 class class-default fair-queue ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key 1234567890 address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 20 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec df-bit clear ! crypto map ENCRYPT 1 ipsec-isakmp set peer 87.139.35.100 set transform-set ESP-3DES-SHA match address TOVPN qos pre-classify ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description OUTSIDE bandwidth 128 no ip address no ip unreachables no ip proxy-arp ip mtu 1472 ip tcp adjust-mss 1416 duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 no cdp enable service-policy output vw-policy ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! interface FastEthernet0/0/0 ! interface FastEthernet0/0/1 ! interface FastEthernet0/0/2 ! interface FastEthernet0/0/3 ! interface Vlan1 description INSIDE ip address 10.59.166.129 255.255.255.128 no ip proxy-arp ip nat inside no ip virtual-reassembly ! interface Dialer0 description OUTSIDE bandwidth 128 ip address negotiated no ip unreachables no ip proxy-arp ip mtu 1472 ip inspect INSPECTION out ip nat outside ip virtual-reassembly max-reassemblies 1024 encapsulation ppp no ip route-cache cef no ip route-cache ip tcp adjust-mss 1416 dialer pool 1 dialer string 01133 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname 000385648292520071291161# snipped-for-privacy@t-online.de ppp chap password XXXXX crypto map ENCRYPT service-policy output vw-policy ! interface Dialer1 no ip address no cdp enable service-policy output vw-policy ! ip route 0.0.0.0 0.0.0.0 Dialer0 ip route 10.0.0.0 255.0.0.0 Dialer0 ip route 10.59.172.128 255.255.255.128 Dialer0 ip route 87.139.35.100 255.255.255.255 Dialer0 [... some routes omitted ...] ! ip nat inside source route-map TONAT interface Dialer0 overload ! ip access-list extended INSIDE_IN deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip 10.59.166.128 0.0.0.127 any ip access-list extended OUTSIDE_IN permit ip any 10.59.166.128 0.0.0.127 [... some more ACLs omitted ...] ip access-list extended TONAT deny ip 10.59.166.128 0.0.0.127 any ip access-list extended TOVPN permit ip 10.59.166.128 0.0.0.127 any ! access-list 100 permit tcp 10.59.166.128 0.0.0.127 any eq 3389 access-list 101 permit tcp any any eq telnet dialer-list 1 protocol ip permit no cdp run route-map TONAT permit 1 match ip address TONAT !