Solved: Re: crypto map (interface IPsec) get removed after upgrading the IOS - Page 2

Ab26 · ‎11-26-2024

I tried to upgrade the IOS of a VPN router to 17.9 and the crypto map (interface IPsec) got removed on Port-Channel interface.

crypto map vpn 55 ipsec-isakmp 
 set peer 10.10.10.1
 set transform-set IPsec-proposalX 
 set ikev2-profile IKE-ProfileX
 match address IP_ACLX
!

interface Port-Channel32
 vrf forwarding frontdoor
 ip address 55.55.55.5 255.255.255.240
 crypto map VPN <= this command on Port-Channel !!!

Ab26 · ‎12-02-2024

It makes sense! I've only tried the this type of config on version 16.9 and it was not available

Ab26 · ‎02-01-2025

@Rob Ingram @MHM Cisco World
I have been testing my the LAB the configuration changes as per the recommendation from Cisco.

Unfortunately the reverse route injected for the ACL disappear if the router reloads. Has anyone experienced the same problem? I can't find a known bug for this symptom.

Here's the configuration:

Reverse Route Injection problem
-----------------------------
Traditional config:
-----------------
crypto ikev2 profile IKEv2-Profile
match fvrf frontdoor
match address local 11.11.11.1
match identity remote address 11.11.11.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ike-key
lifetime 600
ivrf Cust_VRF
!
ip access-list extended Cust_ACL
10 permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
!
crypto map VPN 5 ipsec-isakmp
set peer 11.11.11.2
set transform-set IPsec-TransSet
set pfs group24
set ikev2-profile IKEv2-Profile
match address Cust_ACL
reverse-route remote-peer 11.11.11.2 static
!
interface GigabitEthernet0/0/5
vrf forwarding frontdoor
ip address 11.11.11.1 255.255.255.0
crypto map VPN
!
ip route vrf frontdoor 0.0.0.0 0.0.0.0 11.11.11.2
ip route vrf Cust_VRF 11.11.11.2 255.255.255.255 GigabitEthernet0/0/5 11.11.11.2
!

VPN-Router#sh ip route vrf Cust_VRF static
11.0.0.0/32 is subnetted, 1 subnets
S 11.11.11.2 [1/0] via 11.11.11.2, GigabitEthernet0/0/5
20.0.0.0/24 is subnetted, 1 subnets
S 20.20.20.0 [1/0] via 11.11.11.2, GigabitEthernet0/0/5 => this one via ACL
VPN-Router#
---------------------------------------------------------------------
---------------------------------------------------------------------
After changing to VTI:
----------------------
no crypto map VPN 5 ipsec-isakmp
!
interface GigabitEthernet0/0/5
no crypto map
!
crypto ikev2 profile IKEv2-Profile
no ivrf
!
crypto ipsec profile IPsec-Profile
set transform-set IPsec-TransSet
set pfs group24
set ikev2-profile IKEv2-Profile
reverse-route remote-peer 11.11.11.2 static
!
interface Tunnel1
vrf forwarding Cust_VRF
ip address 192.168.0.1 255.255.255.255
ip tcp adjust-mss 1350
tunnel source 11.11.11.1
tunnel mode ipsec ipv4
tunnel destination 11.11.11.2
tunnel vrf frontdoor
tunnel protection ipsec policy ipv4 Cust_ACL
tunnel protection ipsec profile IPsec-Profile
---

VPN-Router#sh ip route vrf Cust_VRF static
11.0.0.0/32 is subnetted, 1 subnets
S 11.11.11.2 [1/0] via 11.11.11.2, GigabitEthernet0/0/5
VPN-Router#

----------------------------------------------------

Am I missing something here?

It seems to work fine when I add a static route

ip route vrf Cust_VRF 20.20.20.0 255.255.255.0 Tunnel1

Do I have to use this route? Cisco documentation does not mention this step

MHM Cisco World · ‎02-01-2025

I never try use RRI under ipsec profile.

Let me check this.

MHM