vpn 3000 RRI

Answered Question
May 28th, 2007
User Badges:

hi guys,


i've being working on establishing a vpn between a vpn 3000 and a

checkpoint, the problem i am having on the vpn3000 is that if i dont

select "reverse route injection" it wont establish the vpn.



i thought it may have being because the local lan routes didnt exist

on the vpn 3000, so i added statics to match the network lists, but it

still wouldnt come up, as soon as i enable reverse route injection it

works fine.



any ideas?



thanks



Adam Baxter.



Correct Answer by ggilbert about 9 years 12 months ago

Adam,


Take out the static routes and also dis-able reverse route injection.


Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.


Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.


Cheers

gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
adam.baxter Mon, 05/28/2007 - 02:23
User Badges:

and i am trying to send a ping to bring up the tunnel.

jaffer_sathik2010 Mon, 05/28/2007 - 03:35
User Badges:

Hi Adam,


Are you performing any load bancing stuff on the vpn concentrator?


Topology:

---------

lan1--(concentrator)-------(checkpoint)--Lan2


In the above topology,If you select RRI on the concentrator,a route for Lan2 networks will be forwarded by the concentrator to the Lan1 segments via concentrator's private interface.


Hope it help. Plz rate all helpful posts.


--Jaffer


Correct Answer
ggilbert Tue, 05/29/2007 - 05:09
User Badges:
  • Cisco Employee,

Adam,


Take out the static routes and also dis-able reverse route injection.


Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.


Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.


Cheers

gilbert

adam.baxter Wed, 05/30/2007 - 20:52
User Badges:

guys, i figured it out.... silly mistake


thanks for the help

James.Ren Fri, 06/01/2007 - 23:05
User Badges:

Dear adam,


It seems to me that before you enable RRI, you need to enable routing in the Private port for redistributing stuff. There are three rules for injecting reverse routes. However, when you established a L-2-L VPN using Public interface you will find that VPN3000 uses the default gateway address as the next hop of the injected route, not the peer's address.


Cheers,


James Ren

Actions

This Discussion