cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4692
Views
13
Helpful
10
Replies
Highlighted
Beginner

Problem with GRE over IPsec with IOS Version 15.1(2)T4

HI there,

we have multiple sites using GRE Tunnels with crypto map for encryption.  On upgrading a UC-520 to the latest version (15.1(2)T4 or any version of this train) I get the following error:-

SIN-UC520(config-if)#crypto map aberdeen

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

The original Tunnel config is below:-

interface Tunnel0

description Tunnel To Aberdeen HQ

bandwidth 512

ip unnumbered Vlan1

ip mtu 1420

qos pre-classify

tunnel source a.b.c.d

tunnel destination e.f.g.h

crypto map aberdeen

Downgrading the IOS to an earlier version fixes the problem.   What gives?  Have Cisco dropped support for this configuration?

I use this configuration so I can select exactly which traffic is to be encrypted (I do not encrypt voice for example). 

Thanks,
Peter.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Hi Peter,

It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:

Error message is displayed when you try applying the tunnel interface to a crypto map.

Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.

New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the

crypto map (interface IPSec) command.

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

The command reference has the following info about the error message:

A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.

Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

I hope this clarifies your questions. 

Raga

View solution in original post

10 REPLIES 10
Highlighted
Enthusiast

Hi Peter,

It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:

Error message is displayed when you try applying the tunnel interface to a crypto map.

Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.

New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the

crypto map (interface IPSec) command.

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

The command reference has the following info about the error message:

A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.

Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

I hope this clarifies your questions. 

Raga

View solution in original post

Highlighted
Hall of Fame Community Legend

I'd be looking at your IOS.  If the IOS filename has a "k" then crypto is supported.

Highlighted

But the previous IOS we are using is 150-1.XA3a ... and we don't seem to any issues ....

Highlighted
Hall of Fame Community Legend

Hi Alex,

Can you post the complete filename of the old and new IOS please?

Highlighted

Alex, Peter,

These changes were introduced on 15.1(1)T.  A "T" train comes after the general release, so you are uprading to a version that no longer supports crypto maps on tunnel interfaces unless they are GDOI.

Here is the release notes again:

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

Just search for crypto map and you will see it.

Highlighted

Hi leolaohoo,

old version, uc500-advipservicesK9-mz.150-1.XA3a

new version, uc500-advipservicesK9-mz.151-2.T4

Highlighted

Also, from the command ref:

Note A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

Highlighted

Thanks for the reply Luis,

I will have to review the docs and come up with a migration strategy.   It seems a bit strange to remove this feature, I can't be the only one using it!

cheers

Highlighted

Peter, I agree with you, it's really weird, and I've seen other people doing it.  So I have no idea of why Cisco did it.

I hope you can come up with a solution. 

Have fun.

PS: Please remember to mark this question as answered and rate this post if helpful. Thanks!

Highlighted
Beginner

to avoid this message you can create an ipsec profile and add "tunnel protection ipsec profile profile_name" under the  tunnel interface