IPSec не скрывает информацию IAX2

Я пытаюсь настроить безопасное транковое соединение IAX2 с IPSec между маршрутизаторами:

Но когда я делаю нюхающую атаку с помощью wireshark, вся информация о звонке показывается!

IPsec хорошо настроен и отлично работает с http-пакетами, но не влияет на IAX2.

Конфигурация R3:

! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R3 ! boot-start-marker boot-end-marker ! ! no aaa new-model no ip icmp rate-limit unreachable ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip tcp synwait-time 5 !  ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco@123 address 100.100.100.101 ! ! crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac  ! crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp  set peer 100.100.100.101 set transform-set MY-SET  match address VPN-TRAFFIC ! ! ! ! interface FastEthernet0/0 ip address 192.168.10.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex half ! interface FastEthernet1/0 ip address 100.100.100.100 255.255.255.248 ip nat outside ip virtual-reassembly duplex half crypto map IPSEC-SITE-TO-SITE-VPN ! ip route 0.0.0.0 0.0.0.0 200.200.200.200 ip route 0.0.0.0 0.0.0.0 100.100.100.101 ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface FastEthernet1/0 overload ip nat inside source list 101 interface FastEthernet1/0 overload ip nat inside source static tcp 192.168.10.2 4569 100.100.100.100 4569 extendable ip nat inside source static tcp 192.168.10.2 5060 100.100.100.100 5060 extendable ip nat inside source static tcp 192.168.10.2 5061 100.100.100.100 5061 extendable ! ! ip access-list extended VPN-TRAFFIC permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 101 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 101 permit ip 192.168.10.0 0.0.0.255 any no cdp log mismatch duplex ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! ! end 

Конфигурация R4:

! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname R4 ! boot-start-marker boot-end-marker ! ! no aaa new-model no ip icmp rate-limit unreachable ! ! ip cef no ip domain lookup ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip tcp synwait-time 5 !  ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key cisco@123 address 100.100.100.100 ! ! crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac  ! crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp  set peer 100.100.100.100 set transform-set MY-SET  match address VPN-TRAFFIC ! ! ! ! interface FastEthernet0/0 ip address 192.168.20.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex half ! interface FastEthernet1/0 ip address 100.100.100.101 255.255.255.248 ip nat outside ip virtual-reassembly duplex half crypto map IPSEC-SITE-TO-SITE-VPN ! ip route 0.0.0.0 0.0.0.0 100.100.100.100 ! no ip http server no ip http secure-server ! ip nat inside source list 1 interface FastEthernet1/0 overload ip nat inside source list 101 interface FastEthernet1/0 overload ip nat inside source static tcp 192.168.20.2 4569 100.100.100.101 4569 extendable ip nat inside source static tcp 192.168.20.2 5060 100.100.100.101 5060 extendable ip nat inside source static tcp 192.168.20.2 5061 100.100.100.101 5061 extendable ! ! ip access-list extended VPN-TRAFFIC permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 101 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 101 permit ip 192.168.20.0 0.0.0.255 any no cdp log mismatch duplex ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line aux 0 exec-timeout 0 0 privilege level 15 logging synchronous stopbits 1 line vty 0 4 login ! ! end