Symptom
Crypto maps are not supported on port-channel / tunnel interfaces/BDI interfaces, but CLI is not preventing unsupported configuration.
This is already documented here:
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-16-8/sec-sec-for-vpns-w-ipsec-xe-16-8-book/sec-cfg-vpn-ipsec.html
"Unsupported Interface Types
Crypto VPNs are not supported on the bridge domain interfaces (BDI).
Crypto maps are not supported on tunnel interface and port-channel interface." <=====
Conditions
Crypto map on port-channel interfaces or port-channel sub-interfaces or or BDI interfaces.
Workaround
a) Apply crypto maps on physical interfaces.
b) Migrate to Multi-SA VTI (requires IOS-XE 16.12 or higher):
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white-paper-c11-744879.html
Further Problem Description
This bug does NOT add support for crypto map under unsupported interfaces, it just blocks unsupported configuration. This feature will never be added as crypto maps, with an exception for GetVPN, are already marked for retirement:
https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-xe-17/bulletin-c25-744830.html
