I've been working a bit on trying to see if I can do IPSec over a trunked interface and have come up pretty empty. I have the IPSec setup and working on other standard interfaces in the same router, but have run into a bump with the IOS interface not letting me configure the crypto map on the trunked interface.

Starting with (just relivant part of the config shown):

#ip cef

!

interface Vif1

no ip address

ip cef accounting non-recursive external

crypto map MYMAP

!

interface FastEthernet0/0/0.1

encapsulation dot1Q 1 native

ip address 30.70.10.7 255.255.255.0

!

interface FastEthernet0/0/0.2

encapsulation dot1Q 2

ip address 30.70.21.7 255.255.254.0

!

interface FastEthernet0/0/0.4

encapsulation dot1Q 4

ip address 30.70.40.7 255.255.255.0

!

interface FastEthernet0/0/0.5

encapsulation dot1Q 5

ip address 30.70.50.4 255.255.248.0

When I go to apply the crypto map to the FastEthernet0/0/0.4 interface, here is what I get:

r7(config-subif)#crypto map MYMAP

ERROR: The VIP interface must be configured with cef distributed switching before enabling encryption. Please configure this interface with cef distributed and route cache distributed switching then try again.

No biggie (I think), so I change the config to:

#ip cef distributed

then try again:

r7(config-subif)#crypto map MYMAP

ERROR: Cannot apply IPSEC crypto map with tag MYMAP to VIP interfaces.

Any thoughts on what the problem might be?

Thanks!