I have a site to site ipsec tunnel between 2 IOS routers and in the crypto map I have reverse-route added. Let's say on that crypto map's match address it's permitting its source network access to 2 remote subnets. If only traffic is generated to one of the remote subnets, would it inject statics for just that network or will it do it for both?
crypto map WAN_VPN 30 ipsec-isakmp
set peer xxx.xxx.xxx
set transform-set Remote-Office set pfs group2 match address VPN-TRAFFIC reverse-route
ip access-list extended VPN-TRAFFIC
permit ip 10.10.10.0 0.0.0.255 184.108.40.206 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 220.127.116.11 0.0.0.255
If I'm pinging 18.104.22.168 continuously, it will inject a static route for that subnet but will it also inject 22.214.171.124/24 as well since they are on same ACL?
Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the next hop, the traffic is forced through the crypto process to be encrypted.
For static crypto maps, routes are always present if RRI is configured on an applied crypto map. In Cisco IOS Release 12.3(14)T, the default behavior—of routes always being present for a static map—will not apply unless the static keyword is added to the reverse-route command.
The command lookup tool has additional information for reverse-route (All IOS Commands)
So check your version and give it a try.
PS to answer directly your question:
No, RRI will not inject a route for 126.96.36.199/24 if your using something newer than 12.3(14)T. If you add the "static" keyword for newer IOS versions it will inject both routes regardles of the state of the tunnel.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...