Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Regarding RRI

I have a site to site ipsec tunnel between 2 IOS routers and in the crypto map I have reverse-route added. Let's say on that crypto map's match address it's permitting its source network access to 2 remote subnets. If only traffic is generated to one of the remote subnets, would it inject statics for just that network or will it do it for both?

Sample config

crypto map WAN_VPN 30 ipsec-isakmp

set peer xxx.xxx.xxx

set transform-set Remote-Office
set pfs group2
match address VPN-TRAFFIC
reverse-route

ip access-list extended VPN-TRAFFIC

permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 30.30.30.0 0.0.0.255

If I'm pinging 20.20.20.1 continuously, it will inject a static route for that subnet but will it also inject 30.30.30.0/24 as well since they are on same ACL?

1 REPLY
Bronze

Re: Regarding RRI

Hi Jack,

here is a detailed description of RRI:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_rev_rte_inject.html

Basically it will do (citation from above link):

Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the next hop, the traffic is forced through the crypto process to be encrypted.

For static crypto maps, routes are always present if RRI is configured on an applied crypto map. In Cisco IOS Release 12.3(14)T, the default behavior—of routes always being present for a static map—will not apply unless the static keyword is added to the reverse-route command.

The command lookup tool has additional information for reverse-route  (All IOS Commands)

So check your version and give it a try.

Rgds, MiKa

PS to answer directly your question:

No, RRI will not inject a route for 30.30.30.0/24 if your using something newer than 12.3(14)T. If you add the "static" keyword for newer IOS versions it will inject both routes regardles of the state of the tunnel.

133
Views
0
Helpful
1
Replies