Hi all With IOS IPSec, we have two cmds for reverse route injection:
router2(config-crypto-map)#set reverse-route ? distance Distance metric for this static route tag Create route and tag it router2(config-crypto-map)#reverse-route ? remote-peer Create route in route table for remote tunnel endpoint static Create routes based on static ACLs permanently My understanding For static site to site VPN, we should use "reverse-route" This will add a static route to remote site address in the interesting traffic acl. The "static" keyword will add the route permanently. Else the route will be removed when the tunnel is torn off. For EzVPN server, we should add "set reverse-route". For VTI based EzVPN server, it should added under IPSec profile. For dynamic vpns configured using dynamic crypto maps (given below), should we use "reverse-route" or "set reverse-route"? crypto dynamic-map dynmap 1 set transform-set tran match address 123 The IOS is inconsistent in it's behavior and hence I am not able to confirm the behaviour. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
