I've been working a bit on trying to see if I can do IPSec over a trunked interface and have come up pretty empty. I have the IPSec setup and working on other standard interfaces in the same router, but have run into a bump with the IOS interface not letting me configure the crypto map on the trunked interface.
Starting with (just relivant part of the config shown):
#ip cef
!
interface Vif1
no ip address
ip cef accounting non-recursive external
crypto map MYMAP
!
interface FastEthernet0/0/0.1
encapsulation dot1Q 1 native
ip address 30.70.10.7 255.255.255.0
!
interface FastEthernet0/0/0.2
encapsulation dot1Q 2
ip address 30.70.21.7 255.255.254.0
!
interface FastEthernet0/0/0.4
encapsulation dot1Q 4
ip address 30.70.40.7 255.255.255.0
!
interface FastEthernet0/0/0.5
encapsulation dot1Q 5
ip address 30.70.50.4 255.255.248.0
When I go to apply the crypto map to the FastEthernet0/0/0.4 interface, here is what I get:
r7(config-subif)#crypto map MYMAP
ERROR: The VIP interface must be configured with cef distributed switching before enabling encryption. Please configure this interface with cef distributed and route cache distributed switching then try again.
No biggie (I think), so I change the config to:
#ip cef distributed
then try again:
r7(config-subif)#crypto map MYMAP
ERROR: Cannot apply IPSEC crypto map with tag MYMAP to VIP interfaces.
Any thoughts on what the problem might be?
Thanks!