we have multiple sites using GRE Tunnels with crypto map for encryption. On upgrading a UC-520 to the latest version (15.1(2)T4 or any version of this train) I get the following error:-
SIN-UC520(config-if)#crypto map aberdeen
% NOTE: crypto map is configured on tunnel interface.
Currently only GDOI crypto map is supported on tunnel interface.
The original Tunnel config is below:-
description Tunnel To Aberdeen HQ
ip unnumbered Vlan1
ip mtu 1420
tunnel source a.b.c.d
tunnel destination e.f.g.h
crypto map aberdeen
Downgrading the IOS to an earlier version fixes the problem. What gives? Have Cisco dropped support for this configuration?
I use this configuration so I can select exactly which traffic is to be encrypted (I do not encrypt voice for example).
It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:
Error message is displayed when you try applying the tunnel interface to a crypto map.
Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.
New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the
crypto map (interface IPSec) command.
The command reference has the following info about the error message:
A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows: crypto map is configured on tunnel interface. Currently only Group Domain of Interpretation (GDOI) crypto map is supported on tunnel interface.
So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.
Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.
I hope this clarifies your questions.