Configuring crypto map on physical and on tunnel interface

Unanswered Question
Apr 21st, 2009
User Badges:

I have one tunnel interface configured on a physical configure the crypto map, should it be on the tunnel interface or physical interface or both? and what's the difference between them?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ahmed.el-sheikh Tue, 04/21/2009 - 23:44
User Badges:

People here sorry .... i found the solution and it's listed here:

In IOS versions prior to 12.2(13)T, including all 12.2 mainline releases, in order to configure GRE over IPSec, that is, to encrypt GRE packets using IPSec as the L3 transport protocol, the crypto map needs to be applied to both the tunnel and the outbound physical interface. This requirement was historical when the initial IPSec implementation inherited it from Cisco Encryption Technology (CET), and has since been removed in 12.2(13)T and later. In this case the router could only do IPsec encryption after GRE encapsulation. The IPsec crypto ACL would be configured to match the GRE/IP encapsulated Data/IP packet, as shown here:

access-list permit gre host host

With the newer crypto implementation in 12.2(13)T and later, when a crypto map is applied to an interface, it always means crypto processing of the packet occurs before encapsulation on that interface, regardless of whether that is a physical interface or a GRE tunnel interface. This implies that for the GRE over IPSec configuration, the crypto map would only be applied to the outbound physical interface. It is no longer necessary to configure it on the tunnel. It also means now IPSec over GRE can be configured, that is, to transport IPSec packets inside of a GRE tunnel, by only applying the crypto map to the tunnel interface and configuring the IPSec crypto ACL to match data IP (clear-text) packets.


This Discussion