Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring crypto map on physical and on tunnel interface

I have one tunnel interface configured on a physical configure the crypto map, should it be on the tunnel interface or physical interface or both? and what's the difference between them?

New Member

Re: Configuring crypto map on physical and on tunnel interface

People here sorry .... i found the solution and it's listed here:

In IOS versions prior to 12.2(13)T, including all 12.2 mainline releases, in order to configure GRE over IPSec, that is, to encrypt GRE packets using IPSec as the L3 transport protocol, the crypto map needs to be applied to both the tunnel and the outbound physical interface. This requirement was historical when the initial IPSec implementation inherited it from Cisco Encryption Technology (CET), and has since been removed in 12.2(13)T and later. In this case the router could only do IPsec encryption after GRE encapsulation. The IPsec crypto ACL would be configured to match the GRE/IP encapsulated Data/IP packet, as shown here:

access-list permit gre host host

With the newer crypto implementation in 12.2(13)T and later, when a crypto map is applied to an interface, it always means crypto processing of the packet occurs before encapsulation on that interface, regardless of whether that is a physical interface or a GRE tunnel interface. This implies that for the GRE over IPSec configuration, the crypto map would only be applied to the outbound physical interface. It is no longer necessary to configure it on the tunnel. It also means now IPSec over GRE can be configured, that is, to transport IPSec packets inside of a GRE tunnel, by only applying the crypto map to the tunnel interface and configuring the IPSec crypto ACL to match data IP (clear-text) packets.