I have a 3945 router (15.5(3)M5) deployed as a IPsec point to point tunnel gateway supporting over 300 fixed IP remote connections.

I need to ensure that no single IPsec tunnel consume more than 4 megabits of bandwidth.

I found a possible solution in The per-flow admission feature, as described in chapter 8 of the QoS: Congestion Management Configuration Guide, Cisco IOS Release 15M&T http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/qos_conmgt/configuration/15-mt/qos-conmgt-15-mt-book/qos-conmgt-per-flow-admission.html

However my tests indicate that “metadata flow” does not recognize ike SAs as admitted flows, even after configuring “crypto call admission limit ike sa 500”

Is there a way to configure per-flow admission to support per tunnel QoS, or does this feature work with voice and video application only?