So, I've got a crypto map with a dynamic peer and wildcard psk. The default route on the vpn headend points to the corporate lan, not the internet. So, I'd like to use rri to automatically create a route to the remote peer based on the peer dns lookup. So, I've done the following and rri does not seem to work. Although, if I add a static to the peer ip it does work. Any ideas? IOS is 12.4(25b). Am I missing something regarding the operation of rri? To quote Cisco literature on the subject, rev rem should create two routes. "The first route is to the destination-protected subnet via the remote tunnel endpoint. The second route specifies the next hop to be taken to reach this tunnel endpoint." It seems that the second route is not being created.
ip route 0.0.0.0 0.0.0.0 [lanRouter]
cry map bla 10 ipsec-isa
set peer a.host.com dynamic
rev rem [internetRouter]
ip route [a.host.com] 255.255.255.255 [internetRouter] (add this and it works)
Your understanding of RRI is correct. With your configuration, RRI should add a second static host route to the peer address pointing out the egress interface where crypto map is applied. However, in practice, unless your egress link is a p2p interface, we always recommend you use "reverse-route remote-peer [internetRouter_ip_address]" to avoid incomplete adjacency issues. As a matter of fact, the command "reverse-route remote-peer (without a next-hop ip) has been deprecated in IOS 12.4(15)T and later.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :