IPSec 不隱藏 IAX2 訊息

我正在嘗試在路由器之間使用 IPSec 設定安全的 IAX2 連線：

但是當我用wireshark進行嗅探攻擊時，所有呼叫的資訊都會顯示！

IPsec 配置良好，並且與 http 封包完美配合，但對 IAX2 沒有影響。

R3配置：

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco@123 address 100.100.100.101
!
!
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac 
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp 
 set peer 100.100.100.101
 set transform-set MY-SET 
 match address VPN-TRAFFIC
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex half
!
interface FastEthernet1/0
 ip address 100.100.100.100 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex half
 crypto map IPSEC-SITE-TO-SITE-VPN
!
ip route 0.0.0.0 0.0.0.0 200.200.200.200
ip route 0.0.0.0 0.0.0.0 100.100.100.101
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet1/0 overload
ip nat inside source list 101 interface FastEthernet1/0 overload
ip nat inside source static tcp 192.168.10.2 4569 100.100.100.100 4569 extendable
ip nat inside source static tcp 192.168.10.2 5060 100.100.100.100 5060 extendable
ip nat inside source static tcp 192.168.10.2 5061 100.100.100.100 5061 extendable
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end

R4配置：

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
no ip icmp rate-limit unreachable
!
!
ip cef
no ip domain lookup
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key cisco@123 address 100.100.100.100
!
!
crypto ipsec transform-set MY-SET esp-aes esp-md5-hmac 
!
crypto map IPSEC-SITE-TO-SITE-VPN 10 ipsec-isakmp 
 set peer 100.100.100.100
 set transform-set MY-SET 
 match address VPN-TRAFFIC
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.20.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex half
!
interface FastEthernet1/0
 ip address 100.100.100.101 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex half
 crypto map IPSEC-SITE-TO-SITE-VPN
!
ip route 0.0.0.0 0.0.0.0 100.100.100.100
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface FastEthernet1/0 overload
ip nat inside source list 101 interface FastEthernet1/0 overload
ip nat inside source static tcp 192.168.20.2 4569 100.100.100.101 4569 extendable
ip nat inside source static tcp 192.168.20.2 5060 100.100.100.101 5060 extendable
ip nat inside source static tcp 192.168.20.2 5061 100.100.100.101 5061 extendable
!
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny   ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
no cdp log mismatch duplex
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line aux 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
 stopbits 1
line vty 0 4
 login
!
!
end