Re: reverse route injection

Dennis Olvany · ‎10-26-2010

So, I've got a crypto map with a dynamic peer and wildcard psk. The default route on the vpn headend points to the corporate lan, not the internet. So, I'd like to use rri to automatically create a route to the remote peer based on the peer dns lookup. So, I've done the following and rri does not seem to work. Although, if I add a static to the peer ip it does work. Any ideas? IOS is 12.4(25b). Am I missing something regarding the operation of rri? To quote Cisco literature on the subject, rev rem should create two routes. "The first route is to the destination-protected subnet via the remote tunnel endpoint. The second route specifies the next hop to be taken to reach this tunnel endpoint." It seems that the second route is not being created.

ip route 0.0.0.0 0.0.0.0 [lanRouter]

cry map bla 10 ipsec-isa

set peer a.host.com dynamic

rev rem [internetRouter]

ip route [a.host.com] 255.255.255.255 [internetRouter] (add this and it works)

wzhang · ‎10-26-2010

Hi,

Your understanding of RRI is correct. With your configuration, RRI should add a second static host route to the peer address pointing out the egress interface where crypto map is applied. However, in practice, unless your egress link is a p2p interface, we always recommend you use "reverse-route remote-peer [internetRouter_ip_address]" to avoid incomplete adjacency issues. As a matter of fact, the command "reverse-route remote-peer (without a next-hop ip) has been deprecated in IOS 12.4(15)T and later.

Thanks,

Wen

Dennis Olvany · ‎10-27-2010

Thanks for the info. I am including the next hop in rev rem command usage. I am a bit stumped as to why it is not working. No results in bug toolkit for this issue. Opened a tac case.