Re: Configuring crypto map on physical and on tunnel interface
People here sorry .... i found the solution and it's listed here:
In IOS versions prior to 12.2(13)T, including all 12.2 mainline releases, in order to configure GRE over IPSec, that is, to encrypt GRE packets using IPSec as the L3 transport protocol, the crypto map needs to be applied to both the tunnel and the outbound physical interface. This requirement was historical when the initial IPSec implementation inherited it from Cisco Encryption Technology (CET), and has since been removed in 12.2(13)T and later. In this case the router could only do IPsec encryption after GRE encapsulation. The IPsec crypto ACL would be configured to match the GRE/IP encapsulated Data/IP packet, as shown here:
access-list permit gre host host
With the newer crypto implementation in 12.2(13)T and later, when a crypto map is applied to an interface, it always means crypto processing of the packet occurs before encapsulation on that interface, regardless of whether that is a physical interface or a GRE tunnel interface. This implies that for the GRE over IPSec configuration, the crypto map would only be applied to the outbound physical interface. It is no longer necessary to configure it on the tunnel. It also means now IPSec over GRE can be configured, that is, to transport IPSec packets inside of a GRE tunnel, by only applying the crypto map to the tunnel interface and configuring the IPSec crypto ACL to match data IP (clear-text) packets.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...