Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vpn 3000 RRI

hi guys,

i've being working on establishing a vpn between a vpn 3000 and a

checkpoint, the problem i am having on the vpn3000 is that if i dont

select "reverse route injection" it wont establish the vpn.

i thought it may have being because the local lan routes didnt exist

on the vpn 3000, so i added statics to match the network lists, but it

still wouldnt come up, as soon as i enable reverse route injection it

works fine.

any ideas?

thanks

Adam Baxter.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: vpn 3000 RRI

Adam,

Take out the static routes and also dis-able reverse route injection.

Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.

Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.

Cheers

gilbert

7 REPLIES
New Member

Re: vpn 3000 RRI

and i am trying to send a ping to bring up the tunnel.

New Member

Re: vpn 3000 RRI

Hi Adam,

Are you performing any load bancing stuff on the vpn concentrator?

Topology:

---------

lan1--(concentrator)-------(checkpoint)--Lan2

In the above topology,If you select RRI on the concentrator,a route for Lan2 networks will be forwarded by the concentrator to the Lan1 segments via concentrator's private interface.

Hope it help. Plz rate all helpful posts.

--Jaffer

New Member

Re: vpn 3000 RRI

no load balanding.

New Member

Re: vpn 3000 RRI

Well,Please have a look at the following link to get an idea of Reverse route injection.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_14/gt_rrie.htm

Cisco Employee

Re: vpn 3000 RRI

Adam,

Take out the static routes and also dis-able reverse route injection.

Enable the logs on the concentrator for severity 1-13 for AUTH, AUTHDBG, IKE, IKEDBG, IPSEC & IPSECDBG.

Try to send ping for the interesting traffic. Capture logs and send them to this post, let me take a look at them and see if there is any issue that jumps out.

Cheers

gilbert

New Member

Re: vpn 3000 RRI

guys, i figured it out.... silly mistake

thanks for the help

New Member

Re: vpn 3000 RRI

Dear adam,

It seems to me that before you enable RRI, you need to enable routing in the Private port for redistributing stuff. There are three rules for injecting reverse routes. However, when you established a L-2-L VPN using Public interface you will find that VPN3000 uses the default gateway address as the next hop of the injected route, not the peer's address.

Cheers,

James Ren

207
Views
0
Helpful
7
Replies
CreatePlease login to create content