Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
7
Replies

vpn 3000 RRI

Go to solution
adam.baxter
Level 1
Level 1

‎05-28-2007 02:22 AM

hi guys,

i've being working on establishing a vpn between a vpn 3000 and a

checkpoint, the problem i am having on the vpn3000 is that if i dont

select "reverse route injection" it wont establish the vpn.

i thought it may have being because the local lan routes didnt exist

on the vpn 3000, so i added statics to match the network lists, but it

still wouldnt come up, as soon as i enable reverse route injection it

works fine.

any ideas?

thanks

Adam Baxter.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎05-29-2007 05:09 AM

Adam,

Take out the static routes and also dis-able reverse route injection.

Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.

Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.

Cheers

gilbert

View solution in original post

0 Helpful
7 Replies 7

Go to solution
adam.baxter
Level 1
Level 1

‎05-28-2007 02:23 AM

and i am trying to send a ping to bring up the tunnel.

0 Helpful

Go to solution
jaffer_sathik2010
Level 1
Level 1

‎05-28-2007 03:35 AM

Hi Adam,

Are you performing any load bancing stuff on the vpn concentrator?

Topology:

---------

lan1--(concentrator)-------(checkpoint)--Lan2

In the above topology,If you select RRI on the concentrator,a route for Lan2 networks will be forwarded by the concentrator to the Lan1 segments via concentrator's private interface.

Hope it help. Plz rate all helpful posts.

--Jaffer

0 Helpful

Go to solution
adam.baxter
Level 1
Level 1
In response to jaffer_sathik2010

‎05-29-2007 01:16 AM

no load balanding.

0 Helpful

Go to solution
jaffer_sathik2010
Level 1
Level 1
In response to adam.baxter

‎05-29-2007 04:34 AM

Well,Please have a look at the following link to get an idea of Reverse route injection.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_rrie.htm

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎05-29-2007 05:09 AM

Adam,

Take out the static routes and also dis-able reverse route injection.

Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.

Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.

Cheers

gilbert

0 Helpful

Go to solution
adam.baxter
Level 1
Level 1
In response to ggilbert

‎05-30-2007 08:52 PM

guys, i figured it out.... silly mistake

thanks for the help

0 Helpful

Go to solution
James.Ren
Level 1
Level 1

‎06-01-2007 11:05 PM

Dear adam,

It seems to me that before you enable RRI, you need to enable routing in the Private port for redistributing stuff. There are three rules for injecting reverse routes. However, when you established a L-2-L VPN using Public interface you will find that VPN3000 uses the default gateway address as the next hop of the injected route, not the peer's address.

Cheers,

James Ren

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents