08-05-2011 04:44 AM - edited 02-21-2020 05:30 PM
HI there,
we have multiple sites using GRE Tunnels with crypto map for encryption. On upgrading a UC-520 to the latest version (15.1(2)T4 or any version of this train) I get the following error:-
SIN-UC520(config-if)#crypto map aberdeen
% NOTE: crypto map is configured on tunnel interface.
Currently only GDOI crypto map is supported on tunnel interface.
The original Tunnel config is below:-
interface Tunnel0
description Tunnel To Aberdeen HQ
bandwidth 512
ip unnumbered Vlan1
ip mtu 1420
qos pre-classify
tunnel source a.b.c.d
tunnel destination e.f.g.h
crypto map aberdeen
Downgrading the IOS to an earlier version fixes the problem. What gives? Have Cisco dropped support for this configuration?
I use this configuration so I can select exactly which traffic is to be encrypted (I do not encrypt voice for example).
Thanks,
Peter.
Solved! Go to Solution.
08-05-2011 09:51 AM
Hi Peter,
It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:
Error message is displayed when you try applying the tunnel interface to a crypto map.
Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.
New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the
crypto map (interface IPSec) command.
http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html
The command reference has the following info about the error message:
A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows: crypto map is configured on tunnel interface. Currently only Group Domain of Interpretation (GDOI) crypto map is supported on tunnel interface.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283
So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.
Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.
I hope this clarifies your questions.
Raga
08-05-2011 09:51 AM
Hi Peter,
It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:
Error message is displayed when you try applying the tunnel interface to a crypto map.
Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.
New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the
crypto map (interface IPSec) command.
http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html
The command reference has the following info about the error message:
A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows: crypto map is configured on tunnel interface. Currently only Group Domain of Interpretation (GDOI) crypto map is supported on tunnel interface.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283
So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.
Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.
I hope this clarifies your questions.
Raga
08-07-2011 04:48 PM
I'd be looking at your IOS. If the IOS filename has a "k" then crypto is supported.
08-07-2011 06:15 PM
But the previous IOS we are using is 150-1.XA3a ... and we don't seem to any issues ....
08-07-2011 06:19 PM
Hi Alex,
Can you post the complete filename of the old and new IOS please?
08-07-2011 06:23 PM
Alex, Peter,
These changes were introduced on 15.1(1)T. A "T" train comes after the general release, so you are uprading to a version that no longer supports crypto maps on tunnel interfaces unless they are GDOI.
Here is the release notes again:
http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html
Just search for crypto map and you will see it.
08-07-2011 06:25 PM
Hi leolaohoo,
old version, uc500-advipservicesK9-mz.150-1.XA3a
new version, uc500-advipservicesK9-mz.151-2.T4
08-07-2011 06:28 PM
Also, from the command ref:
Note A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows: crypto map is configured on tunnel interface. Currently only Group Domain of Interpretation (GDOI) crypto map is supported on tunnel interface.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283
08-08-2011 06:19 AM
Thanks for the reply Luis,
I will have to review the docs and come up with a migration strategy. It seems a bit strange to remove this feature, I can't be the only one using it!
cheers
08-08-2011 08:27 AM
Peter, I agree with you, it's really weird, and I've seen other people doing it. So I have no idea of why Cisco did it.
I hope you can come up with a solution.
Have fun.
PS: Please remember to mark this question as answered and rate this post if helpful. Thanks!
11-20-2018 11:14 AM
to avoid this message you can create an ipsec profile and add "tunnel protection ipsec profile profile_name" under the tunnel interface
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide