cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10190
Views
13
Helpful
10
Replies

Problem with GRE over IPsec with IOS Version 15.1(2)T4

pierrescotland
Level 1
Level 1

HI there,

we have multiple sites using GRE Tunnels with crypto map for encryption.  On upgrading a UC-520 to the latest version (15.1(2)T4 or any version of this train) I get the following error:-

SIN-UC520(config-if)#crypto map aberdeen

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

The original Tunnel config is below:-

interface Tunnel0

description Tunnel To Aberdeen HQ

bandwidth 512

ip unnumbered Vlan1

ip mtu 1420

qos pre-classify

tunnel source a.b.c.d

tunnel destination e.f.g.h

crypto map aberdeen

Downgrading the IOS to an earlier version fixes the problem.   What gives?  Have Cisco dropped support for this configuration?

I use this configuration so I can select exactly which traffic is to be encrypted (I do not encrypt voice for example). 

Thanks,
Peter.

1 Accepted Solution

Accepted Solutions

raga.fusionet
Level 4
Level 4

Hi Peter,

It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:

Error message is displayed when you try applying the tunnel interface to a crypto map.

Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.

New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the

crypto map (interface IPSec) command.

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

The command reference has the following info about the error message:

A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.

Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

I hope this clarifies your questions. 

Raga

View solution in original post

10 Replies 10

raga.fusionet
Level 4
Level 4

Hi Peter,

It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:

Error message is displayed when you try applying the tunnel interface to a crypto map.

Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.

New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the

crypto map (interface IPSec) command.

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

The command reference has the following info about the error message:

A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.

Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

I hope this clarifies your questions. 

Raga

Leo Laohoo
Hall of Fame
Hall of Fame

I'd be looking at your IOS.  If the IOS filename has a "k" then crypto is supported.

But the previous IOS we are using is 150-1.XA3a ... and we don't seem to any issues ....

Hi Alex,

Can you post the complete filename of the old and new IOS please?

Alex, Peter,

These changes were introduced on 15.1(1)T.  A "T" train comes after the general release, so you are uprading to a version that no longer supports crypto maps on tunnel interfaces unless they are GDOI.

Here is the release notes again:

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

Just search for crypto map and you will see it.

Hi leolaohoo,

old version, uc500-advipservicesK9-mz.150-1.XA3a

new version, uc500-advipservicesK9-mz.151-2.T4

Also, from the command ref:

Note A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

Thanks for the reply Luis,

I will have to review the docs and come up with a migration strategy.   It seems a bit strange to remove this feature, I can't be the only one using it!

cheers

Peter, I agree with you, it's really weird, and I've seen other people doing it.  So I have no idea of why Cisco did it.

I hope you can come up with a solution. 

Have fun.

PS: Please remember to mark this question as answered and rate this post if helpful. Thanks!

f.mbomda
Level 1
Level 1

to avoid this message you can create an ipsec profile and add "tunnel protection ipsec profile profile_name" under the  tunnel interface 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: