Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

crypto map command on tunnel interface - a no-no?

In this document:

There is an IOS config note that says:

"IOS Configuration Note: With Cisco IOS Software Release 12.2(13)T and later codes (higher numbered T-train codes, Cisco IOS Software Release 12.3 and later codes) the configured IPSec "crypto map" only needs to be applied to the physical interface. It is no longer required to be applied on the GRE tunnel interface. Having the "crypto map" on the physical and tunnel interface when you use the Cisco IOS Software Release 12.2.(13)T and later codes still works. However, it is highly recommended to apply it only on the physical interface."

I'm curios as to why it is "Highly recommended" I can't find out if it's cpu intensive or any real reason. I have several T-train IOS loads and I have the command on all tunnel, as well as physical, interfaces and I don't see a problem with it.

Any ideas?



Hall of Fame Super Silver

Re: crypto map command on tunnel interface - a no-no?


When I started configuring IPSec with GRE tunnels it was required that the crypto map be on both the physical interface and the tunnel interface. Then the IOS enhancement came along where it was only required on the physical interface and not required on the tunnel. For a while I kept the crypto map on the tunnel interface. I confirm that things still worked with the crypto map on the tunnel (permitted but not required).

I believe that having the crypto map on both the physical interface and the tunnel interface increases the overhead processing on the router (though I never got anything that I could measure objectively). And I am pretty sure that it complicates the negotiation of Security Associations (the output of my show crypto ipsec sa got shorter). I have now removed the crypto map from the tunnel interface and believe that life if better.

I have been told by TAC engineers that it is better to have the crypto map only on the physical interface. I believe that this is good advice.



New Member

Re: crypto map command on tunnel interface - a no-no?


Thanks for your input. I'll have to test this out in my lab today. I have many tunnels in production network that have in fact the crytpo map command on both physical and tunnel interfaces. We'll see how it goes.