Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cryto map no set on tunnel

Good afternon

on router 1941/k9 [c1900-universalk9-mz.SPA.151-4.M2.bin]

and router 2911/k9 [c2900-universalk9-mz.SPA.152-1.T.bin]

I try to set crypto map, I type on tunnel configuration:

router(config-if)#crypto map VPN_AA_SS

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

router displayed  above message that crypto map is set on tunnel, but crypto map doesnot apper configurated on tunnel with " show" command

router#sho crypto map

Crypto Map IPv4 "VPN_AA_SS" ipsec-isakmp

        Peer = 192.xx.xx.xx

        Extended IP access list 146

            access-list 146 permit gre host 192.xx.xx.xx host 192.xx.xx.xx

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                dd_BBBB_RRR:  { esp-3des esp-md5-hmac  } ,

        }

       Interfaces using crypto map VPN_AA_SS:

any interface has had configurate tunnel

With show access list 146, doesnot appers matches.

I checked with others configurations examples, all steps are configurated.

Thanksfull some help.

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

Buenas noches

en router 1941/k9 [c1900-universalk9-mz.SPA.151-4.M2.bin]

y router 2911/k9 [c2900-universalk9-mz.SPA.152-1.T.bin]

se trata de configurar un "crypto map" dentro del tunnel

router(config-if)#crypto map VPN_AA_SS

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

cuando se realiza el proceso de configuración, los routers indican que esta listo configurado, según el mensaje anterior, pero con el comando de "show crypto map" no aparece configurado en la interfaz tunnel:

router#sho crypto map

Crypto Map IPv4 "VPN_AA_SS" ipsec-isakmp

        Peer = 192.xx.xx.xx

        Extended IP access list 146

            access-list 146 permit gre host 192.xx.xx.xx host 192.xx.xx.xx

        Security association lifetime: 4608000 kilobytes/3600 seconds

        Responder-Only (Y/N): N

        PFS (Y/N): N

        Transform sets={

                dd_BBBB_RRR:  { esp-3des esp-md5-hmac  } ,

        }

        Interfaces using crypto map VPN_AA_SS:

cuando se aplica el "sho acces-list 146, tampoco muestra concordancias con la lista.

revise con otros ejemplos y todo esta configurado.

Se agradece cualqueir ayuda.

1 REPLY
Cisco Employee

cryto map no set on tunnel

The error message is correct. Crypto map on tunnel interface is something we were migrating customers away from for a long, long time.

The last time this was actually needed with in 12.3 mainline (AFAIR).

In newer IOSes this was actually causing problems.

Newer IOS releases will not allow crypto map on tunnel interfaces to be configured.

What are you deploying? GRE over IPsec/VTI configuration can be achieved by using tunnel protection on tunnel interface.

IPsec over GRE ... well consider if you trully want to implement it.

855
Views
0
Helpful
1
Replies