ASA QoS on VPN
I am used to make the VPN QoS on the ASA for a specific L2L or remote acces based on the tunnel group and ip flow match criteria like this:
match tunnel-group X.X.X.X
match flow ip destination-address
My question would be, what does the above match criteria accomplish? it matches all esp (or udp 4500) traffic coming/going from that specific tunnel group specified in the match criteria ? or it is actually taking a look at the flow without the esp header (unencrypted)?
I am asking this cause i am wondering if you can do a QoS on L2L or RA vpns using a "match access list" comand, to just apply QoS not the entire vpn incoming flow but certain users/ips on that flow.