Regarding RRI

Unanswered Question

I have a site to site ipsec tunnel between 2 IOS routers and in the crypto map I have reverse-route added. Let's say on that crypto map's match address it's permitting its source network access to 2 remote subnets. If only traffic is generated to one of the remote subnets, would it inject statics for just that network or will it do it for both?

Sample config

crypto map WAN_VPN 30 ipsec-isakmp

set peer

set transform-set Remote-Office
set pfs group2
match address VPN-TRAFFIC

ip access-list extended VPN-TRAFFIC

permit ip

permit ip

If I'm pinging continuously, it will inject a static route for that subnet but will it also inject as well since they are on same ACL?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.kafka Wed, 05/26/2010 - 06:55
User Badges:
  • Bronze, 100 points or more

Hi Jack,

here is a detailed description of RRI:

Basically it will do (citation from above link):

Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the next hop, the traffic is forced through the crypto process to be encrypted.

For static crypto maps, routes are always present if RRI is configured on an applied crypto map. In Cisco IOS Release 12.3(14)T, the default behavior—of routes always being present for a static map—will not apply unless the static keyword is added to the reverse-route command.

The command lookup tool has additional information for reverse-route  (All IOS Commands)

So check your version and give it a try.

Rgds, MiKa

PS to answer directly your question:

No, RRI will not inject a route for if your using something newer than 12.3(14)T. If you add the "static" keyword for newer IOS versions it will inject both routes regardles of the state of the tunnel.


This Discussion