Most IPSec VPN parameters cannot be modified if they are linked to an active crypto list.
Procedure
To modify a parameter linked to an active crypto list, you must first deactivate the list using the no ip crypto-group command in the context of the interface on which the crypto list is activated.
Note:
If the crypto list is activated on more than one interface, deactivate the crypto list for each of the interfaces on which it is activated.
For example:
Gxxx-001# interface serial 3/1
Gxxx-001(if:serial 3/1)# no ip crypto-group
Done!
After modifying IPSec VPN parameters as desired, re-activate the crypto list on the interface using the ip crypto-group crypto-list-id command.
For example:
Gxxx-001# interface serial 3/1
Gxxx-001(if:serial 3/1)# ip crypto-group 901
Done!
