Problem with GRE over IPsec with IOS Version 15.1(2)T4

Answered Question
Aug 5th, 2011

HI there,

we have multiple sites using GRE Tunnels with crypto map for encryption.  On upgrading a UC-520 to the latest version (15.1(2)T4 or any version of this train) I get the following error:-

SIN-UC520(config-if)#crypto map aberdeen

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

The original Tunnel config is below:-

interface Tunnel0

description Tunnel To Aberdeen HQ

bandwidth 512

ip unnumbered Vlan1

ip mtu 1420

qos pre-classify

tunnel source a.b.c.d

tunnel destination e.f.g.h

crypto map aberdeen

Downgrading the IOS to an earlier version fixes the problem.   What gives?  Have Cisco dropped support for this configuration?

I use this configuration so I can select exactly which traffic is to be encrypted (I do not encrypt voice for example). 

Thanks,
Peter.

I have this problem too.
0 votes
Correct Answer by raga.fusionet about 3 years 11 months ago

Hi Peter,

It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:

Error message is displayed when you try applying the tunnel interface to a crypto map.

Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.

New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the

crypto map (interface IPSec) command.

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

The command reference has the following info about the error message:

A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.

Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

I hope this clarifies your questions. 

Raga

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Correct Answer
raga.fusionet Fri, 08/05/2011 - 09:51

Hi Peter,

It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:

Error message is displayed when you try applying the tunnel interface to a crypto map.

Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.

New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the

crypto map (interface IPSec) command.

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

The command reference has the following info about the error message:

A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.

Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

I hope this clarifies your questions. 

Raga

Leo Laohoo Sun, 08/07/2011 - 16:48

I'd be looking at your IOS.  If the IOS filename has a "k" then crypto is supported.

alexheng81 Sun, 08/07/2011 - 18:15

But the previous IOS we are using is 150-1.XA3a ... and we don't seem to any issues ....

Leo Laohoo Sun, 08/07/2011 - 18:19

Hi Alex,

Can you post the complete filename of the old and new IOS please?

alexheng81 Sun, 08/07/2011 - 18:25

Hi leolaohoo,

old version, uc500-advipservicesK9-mz.150-1.XA3a

new version, uc500-advipservicesK9-mz.151-2.T4



raga.fusionet Sun, 08/07/2011 - 18:28

Also, from the command ref:

Note A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

pierrescotland Mon, 08/08/2011 - 06:19

Thanks for the reply Luis,

I will have to review the docs and come up with a migration strategy.   It seems a bit strange to remove this feature, I can't be the only one using it!

cheers

raga.fusionet Mon, 08/08/2011 - 08:27

Peter, I agree with you, it's really weird, and I've seen other people doing it.  So I have no idea of why Cisco did it.

I hope you can come up with a solution. 

Have fun.

PS: Please remember to mark this question as answered and rate this post if helpful. Thanks!

Actions

This Discussion