Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1595
Views
4
Helpful
1
Replies

Reverse route injection(RRI) problem on IOS12.4(20)

Richard Bradfield
Level 6
Level 6

‎12-23-2009 02:41 PM

I recently upgraded one of my VPN routers to IOS12.4(20) and RRI no longer worked

previously on IOS12.4(4)

relevent  old config :

crypto map IPSec-VPN1 122 ipsec-isakmp
set peer 165.228.173.218
set ip access-group 132 in
set transform-set AES256 CHELTENHAM
match address REFRIGERATE
reverse-route tag 5

!

route-map RRI permit 10
match tag 5
!

router eigrp 100
redistribute static metric 1000 100 255 1 1500 route-map RRI

when upgraded to 124(20) noticed the "reverse-route tag 5" dropped from config

so after investigation changed the crypto map to

crypto map IPSec-VPN1 122 ipsec-isakmp
set peer 165.228.173.218
set ip access-group 132 in
set transform-set AES256 CHELTENHAM

set reverse-route tag 5
match address REFRIGERATE

reverse-route remote-peer 165.228.173.218

this seemed to be ok as a route was established ,and could see it through my eigrp network

But no traffic was passed from my vpn router (encrypted traffic 0)

could not ping remote site.

reverted back to static routing, removed the reverse-route statements and passed traffic ok

is anything else required to be configured when running RRI on 12.4(20)

Labels:
0 Helpful
1 Reply 1

Richard Bradfield
Level 6
Level 6

‎12-23-2009 04:00 PM

Looks like I have solved my own problem

in the crypto map

reverse-route remote-peer command really refers to the local gateway

see extract from doco below

so I though remote peer referred to the peer as in the "set peer" command in the crypto map

so changed it to the next hop address  for the vpn tunnel (my internet gateway)

now works ok

If the command read reverse-route gateway would make a lot more sense!

Gateway Option

This RRI gateway option is relevant to the crypto map only.

This option allows you to configure unique next hops or gateways for remote tunnel endpoints. The option is identical to the way the reverse-route remote-peer {ip-address} command worked prior to Cisco IOS Release 12.3(14)T in that two routes are created for each VPN tunnel. The first route is to the destination-protected subnet via the remote tunnel endpoint. The second route specifies the next hop to be taken to reach this tunnel endpoint. This RRI gateway option allows specific default paths to be specified for specific groups of VPN connections on platforms that support recursive route lookups.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents