12-23-2009 02:41 PM
I recently upgraded one of my VPN routers to IOS12.4(20) and RRI no longer worked
previously on IOS12.4(4)
relevent old config :
crypto map IPSec-VPN1 122 ipsec-isakmp
set peer 165.228.173.218
set ip access-group 132 in
set transform-set AES256 CHELTENHAM
match address REFRIGERATE
reverse-route tag 5
!
route-map RRI permit 10
match tag 5
!
router eigrp 100
redistribute static metric 1000 100 255 1 1500 route-map RRI
when upgraded to 124(20) noticed the "reverse-route tag 5" dropped from config
so after investigation changed the crypto map to
crypto map IPSec-VPN1 122 ipsec-isakmp
set peer 165.228.173.218
set ip access-group 132 in
set transform-set AES256 CHELTENHAM
set reverse-route tag 5
match address REFRIGERATE
reverse-route remote-peer 165.228.173.218
this seemed to be ok as a route was established ,and could see it through my eigrp network
But no traffic was passed from my vpn router (encrypted traffic 0)
could not ping remote site.
reverted back to static routing, removed the reverse-route statements and passed traffic ok
is anything else required to be configured when running RRI on 12.4(20)
12-23-2009 04:00 PM
Looks like I have solved my own problem
in the crypto map
reverse-route remote-peer command really refers to the local gateway
see extract from doco below
so I though remote peer referred to the peer as in the "set peer" command in the crypto map
so changed it to the next hop address for the vpn tunnel (my internet gateway)
now works ok
If the command read reverse-route gateway would make a lot more sense!
This RRI gateway option is relevant to the crypto map only.
This option allows you to configure unique next hops or gateways for remote tunnel endpoints. The option is identical to the way the reverse-route remote-peer {ip-address} command worked prior to Cisco IOS Release 12.3(14)T in that two routes are created for each VPN tunnel. The first route is to the destination-protected subnet via the remote tunnel endpoint. The second route specifies the next hop to be taken to reach this tunnel endpoint. This RRI gateway option allows specific default paths to be specified for specific groups of VPN connections on platforms that support recursive route lookups.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide