01-19-2003 01:35 AM - edited 03-09-2019 01:44 AM
Hi!
Does anybody run RRI on IOS routers successfully?
It seems the implementation is full of bugs: every time the same VPN client
reconnects it is given a new IP address from the local pool. Old /32 static
route is not removed. Cloned crypto map record is not removed also.
Is it possible to work around this?
Also, if the same interface terminates remote VPN clients and IPSec+GRE
site-to-site tunnels RRI adds static /32 route to the VPN client via ALL
interfaces with crypto map applied: serial, tunnel 0, tunnel 1, ..., etc. (by
unclear design one should apply the crypto map to both physical *and*
tunnel interfaces).
Again, is it possible to work around this?
Oleg Tipisov,
REDCENTER,
Moscow
01-19-2003 09:37 PM
The VPN concentrator had this problem of not removing the route after a disconnect, but haven't heard about it on IOS, maybe someone else on this list has.
Can you enable "debug cry ipsec" and "debug cry isa" when the client disconnects, we should be able to see whether the route is removed or not. How are the clients disconnecting, we need to make sure the IPSec SA is not being stranded? Can you include a "sho ip route" and a "sho cry isa peer" after the client connects, then again when it disconnects?
The "client route being added to all interfaces with the crypto map applied" is bug ID CSCdw38881, still being worked on.
01-20-2003 10:03 AM
Thank you for the replay.
I saw the problem of not removing the static route in 12.2(8)T. Could not
reproduce it in 12.2(11)T2 yesterday :(
Glenn, your answers are always very useful, could you please answer my
question titled "sysopt connection permit-ipsec and ACL" (VPN/Security
forum)?
Oleg Tipisov,
REDCENTER,
Moscow
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: