Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1583
Views
0
Helpful
1
Replies

cryto map no set on tunnel

lizandrocisco
Level 1
Level 1

‎02-28-2012 04:57 PM

Good afternon

on router 1941/k9 [c1900-universalk9-mz.SPA.151-4.M2.bin]

and router 2911/k9 [c2900-universalk9-mz.SPA.152-1.T.bin]

I try to set crypto map, I type on tunnel configuration:

router(config-if)#crypto map VPN_AA_SS

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

router displayed  above message that crypto map is set on tunnel, but crypto map doesnot apper configurated on tunnel with " show" command

router#sho crypto map

Crypto Map IPv4 "VPN_AA_SS" ipsec-isakmp

        Peer = 192.xx.xx.xx

        Extended IP access list 146

            access-list 146 permit gre host 192.xx.xx.xx host 192.xx.xx.xx

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                dd_BBBB_RRR:  { esp-3des esp-md5-hmac  } ,

        }

       Interfaces using crypto map VPN_AA_SS:

any interface has had configurate tunnel

With show access list 146, doesnot appers matches.

I checked with others configurations examples, all steps are configurated.

Thanksfull some help.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Buenas noches

en router 1941/k9 [c1900-universalk9-mz.SPA.151-4.M2.bin]

y router 2911/k9 [c2900-universalk9-mz.SPA.152-1.T.bin]

se trata de configurar un "crypto map" dentro del tunnel

router(config-if)#crypto map VPN_AA_SS

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

cuando se realiza el proceso de configuración, los routers indican que esta listo configurado, según el mensaje anterior, pero con el comando de "show crypto map" no aparece configurado en la interfaz tunnel:

router#sho crypto map

Crypto Map IPv4 "VPN_AA_SS" ipsec-isakmp

        Peer = 192.xx.xx.xx

        Extended IP access list 146

            access-list 146 permit gre host 192.xx.xx.xx host 192.xx.xx.xx

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                dd_BBBB_RRR:  { esp-3des esp-md5-hmac  } ,

        }

        Interfaces using crypto map VPN_AA_SS:

cuando se aplica el "sho acces-list 146, tampoco muestra concordancias con la lista.

revise con otros ejemplos y todo esta configurado.

Se agradece cualqueir ayuda.

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎02-29-2012 02:15 AM

The error message is correct. Crypto map on tunnel interface is something we were migrating customers away from for a long, long time.

The last time this was actually needed with in 12.3 mainline (AFAIR).

In newer IOSes this was actually causing problems.

Newer IOS releases will not allow crypto map on tunnel interfaces to be configured.

What are you deploying? GRE over IPsec/VTI configuration can be achieved by using tunnel protection on tunnel interface.

IPsec over GRE ... well consider if you trully want to implement it.

0 Helpful
Customers Also Viewed These Support Documents