I am currently reading the "Complete Cisco VPN Config Guide" by Richard Deal and no doubt it is a good book. I am facing a difficulty in understanding something here.
In my opinion, Reverse Route Injection is more useful in LAN Extension Mode than in Client mode because connections need to be initiated from the corporate network to the SOHO network. And for this to happen, the corporate network must know the SOHO network. RRI is used in this case to install a static route in the corporate's VPN gateway and then redistribute it into the corporate network.
For client mode, the opposite is true: connections are initiated from the SOHO network or Software client to the corporate network ONLY. So, why do i care about reaching the SOHO network or Software client network from the corporate network? The author didn't clarify that. This is what the author said:
"The Cisco RRI provides the best approach for remote access clients. RRI is a Cisco-proprietary enhancement for IPsec. At the end of ISAKMP/IKE Phase 1, the remote access client does one of the following:
If in client mode, the client is assigned an internal address by the VPN gateway; the VPN gateway will add this as a static route to its local routing table. ---- > WHY?
If in network extension mode, the client sends the network number of its inside interface to the VPN gateway via an ISAKMP/IKE Phase 1 message." -----> MAKE SENSE
Please clarify why do i need the RRI solution for client mode. RRI for LAN Extension mode makes more sense.
Yes, to my understanding RRI is used to handle the routing for any network/host IP address that is located behind a VPN connection. Typically this would be used in a situation where this information needs to be passed on to dynamic routing protocols running in the internal network.
The RRI inserts the required network/host IP information to the routing table based on either VPN configurations or connections. I think in VPN Clients case the VPN device only insert the host IP route to the routing table with RRI. I think in L2L VPN case for example the RRI inserts the whole destination network to the routing table.
In our environments there has not really been much need for RRI as the routing environments have been pretty static in nature.
Here is a configuration example of the RRI
Here a VPN gateway device advertices the route towards the single VPN Client to the internal routers in the LAN network.
Though as I said before, I would imagine that in this case the default route might also be pointing to this same device to which the VPN Client is connected to and therefore RRI would not be needed.
To my understanding the RRI is used on the central VPN device to insert the VPN network/host IP addresses to the local routing table to be distributed to rest of the network through dynamic routing protocols.
As I mentioned in the first reply,
Consider a situation where you have a central office VPN device which IS NOT the device through which all internal traffic to external network goes through. In other words in your internal network the default route directs traffic to some other device, for example the edge firewall.
Now for any traffic to flow between 2 different networks you naturally need routing table(s) on the device between the networks to have a route for each of the networks or traffic will not flow between them correctly.
So consider a situation where your Client Mode hardware client connects to the central VPN device (which is not the gateway for all external traffic) which is running OSPF along with all the internal routers and the RRI is NOT used. The PAT IP address used by the Client Mode Hardware Client is never adverticed to the rest of the network and traffic will flow incorrectly to the edge firewall to which the default route points to. If RRI was enabled (along with other settings) the internal routers could have correctly forwarded the return traffic towards the PAT IP address towards the VPN device rather than the edge firewall.
The above situation naturally applies to a LAN Extension mode also but in that case naturally the VPN device is adverticing a whole network/subnet instead of a host IP address used as the Client PAT IP.
Whether the remote Client Mode or LAN Extension Mode Hardware Client connects to the central site, the central site will have to have a route for the remote network or PAT IP address for the traffic to flow between 2 endpoints in the network.
If the central VPN device doesnt install a route for the PAT IP address to the central offices network then naturally the traffic will only be one way. Traffic from the Client mode PAT IP address will reach the central site but the return traffic back towards the PAT IP address wont flow correctly without RRI.