Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with GRE over IPsec with IOS Version 15.1(2)T4

HI there,

we have multiple sites using GRE Tunnels with crypto map for encryption.  On upgrading a UC-520 to the latest version (15.1(2)T4 or any version of this train) I get the following error:-

SIN-UC520(config-if)#crypto map aberdeen

% NOTE: crypto map is configured on tunnel interface.

        Currently only GDOI crypto map is supported on tunnel interface.

The original Tunnel config is below:-

interface Tunnel0

description Tunnel To Aberdeen HQ

bandwidth 512

ip unnumbered Vlan1

ip mtu 1420

qos pre-classify

tunnel source a.b.c.d

tunnel destination e.f.g.h

crypto map aberdeen

Downgrading the IOS to an earlier version fixes the problem.   What gives?  Have Cisco dropped support for this configuration?

I use this configuration so I can select exactly which traffic is to be encrypted (I do not encrypt voice for example). 

Thanks,
Peter.

1 ACCEPTED SOLUTION

Accepted Solutions

Problem with GRE over IPsec with IOS Version 15.1(2)T4

Hi Peter,

It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:

Error message is displayed when you try applying the tunnel interface to a crypto map.

Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.

New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the

crypto map (interface IPSec) command.

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

The command reference has the following info about the error message:

A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.

Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

I hope this clarifies your questions. 

Raga

9 REPLIES

Problem with GRE over IPsec with IOS Version 15.1(2)T4

Hi Peter,

It looks like starting on 15.1 that configuration is no longer supported. Here's what the release notes say:

Error message is displayed when you try applying the tunnel interface to a crypto map.

Old Behavior: Error message is not displayed when you try applying the tunnel interface to a crypto map using the crypto map (interface IPSec) command.

New Behavior: An error message is displayed when you try applying the tunnel interface to a crypto map using the

crypto map (interface IPSec) command.

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

The command reference has the following info about the error message:

A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

So it looks like on the new version you can only use a GDOI crypto maps (completely new to me) on your tunnel interfaces.

Here is a doc that explains the implementation of GDOI, I wish I could help with the configuration but like I said, I hadnt heard of it until today.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6811/prod_white_paper0900aecd804c363f.html

I hope this clarifies your questions. 

Raga

Hall of Fame Super Gold

Problem with GRE over IPsec with IOS Version 15.1(2)T4

I'd be looking at your IOS.  If the IOS filename has a "k" then crypto is supported.

New Member

Problem with GRE over IPsec with IOS Version 15.1(2)T4

But the previous IOS we are using is 150-1.XA3a ... and we don't seem to any issues ....

Hall of Fame Super Gold

Problem with GRE over IPsec with IOS Version 15.1(2)T4

Hi Alex,

Can you post the complete filename of the old and new IOS please?

Problem with GRE over IPsec with IOS Version 15.1(2)T4

Alex, Peter,

These changes were introduced on 15.1(1)T.  A "T" train comes after the general release, so you are uprading to a version that no longer supports crypto maps on tunnel interfaces unless they are GDOI.

Here is the release notes again:

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html

Just search for crypto map and you will see it.

New Member

Problem with GRE over IPsec with IOS Version 15.1(2)T4

Hi leolaohoo,

old version, uc500-advipservicesK9-mz.150-1.XA3a

new version, uc500-advipservicesK9-mz.151-2.T4

Problem with GRE over IPsec with IOS Version 15.1(2)T4

Also, from the command ref:

Note A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows:  crypto map is configured on tunnel interface. Currently only Group  Domain of Interpretation (GDOI) crypto map is supported on tunnel  interface.

http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_c4.html#wp1078283

New Member

Problem with GRE over IPsec with IOS Version 15.1(2)T4

Thanks for the reply Luis,

I will have to review the docs and come up with a migration strategy.   It seems a bit strange to remove this feature, I can't be the only one using it!

cheers

Problem with GRE over IPsec with IOS Version 15.1(2)T4

Peter, I agree with you, it's really weird, and I've seen other people doing it.  So I have no idea of why Cisco did it.

I hope you can come up with a solution. 

Have fun.

PS: Please remember to mark this question as answered and rate this post if helpful. Thanks!

2004
Views
8
Helpful
9
Replies