Reverse route injection(RRI) problem on IOS12.4(20)

Unanswered Question
Dec 23rd, 2009
User Badges:
  • Silver, 250 points or more

I recently upgraded one of my VPN routers to IOS12.4(20) and RRI no longer worked

previously on IOS12.4(4)

relevent  old config :


crypto map IPSec-VPN1 122 ipsec-isakmp
set peer 165.228.173.218
set ip access-group 132 in
set transform-set AES256 CHELTENHAM
match address REFRIGERATE
reverse-route tag 5

!

route-map RRI permit 10
match tag 5
!

router eigrp 100
redistribute static metric 1000 100 255 1 1500 route-map RRI


when upgraded to 124(20) noticed the "reverse-route tag 5" dropped from config

so after investigation changed the crypto map to


crypto map IPSec-VPN1 122 ipsec-isakmp
set peer 165.228.173.218
set ip access-group 132 in
set transform-set AES256 CHELTENHAM

set reverse-route tag 5
match address REFRIGERATE

reverse-route remote-peer 165.228.173.218


this seemed to be ok as a route was established ,and could see it through my eigrp network


But no traffic was passed from my vpn router (encrypted traffic 0)

could not ping remote site.


reverted back to static routing, removed the reverse-route statements and passed traffic ok

is anything else required to be configured when running RRI on 12.4(20)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Richard Bradfield Wed, 12/23/2009 - 16:00
User Badges:
  • Silver, 250 points or more

Looks like I have solved my own problem

in the crypto map

reverse-route remote-peer command really refers to the local gateway

see extract from doco below


so I though remote peer referred to the peer as in the "set peer" command in the crypto map

so changed it to the next hop address  for the vpn tunnel (my internet gateway)

now works ok


If the command read reverse-route gateway would make a lot more sense!

Gateway Option

This RRI gateway option is relevant to the crypto map only.

This option allows you to configure unique next hops or gateways for remote tunnel endpoints. The option is identical to the way the reverse-route remote-peer {ip-address} command worked prior to Cisco IOS Release 12.3(14)T in that two routes are created for each VPN tunnel. The first route is to the destination-protected subnet via the remote tunnel endpoint. The second route specifies the next hop to be taken to reach this tunnel endpoint. This RRI gateway option allows specific default paths to be specified for specific groups of VPN connections on platforms that support recursive route lookups.

Actions

This Discussion