I don't think reverse route on L2L adds a static route for the networks in the proxy acl. I thought it added a route when an address was pushed through the tunnel using mode config. I have never tried used reverse-route injection with a L2L tunnel, but it doesn't make sense to use it when the 2 sites have static addresses with a route to each peer in the routing table. For L2L you need a route to the peer and the proxied networks before the tunnel comes up. I agree with the second statement for ezvpn. Please correct me if I am wrong
From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Tuesday, April 06, 2010 6:23 PM To: [email protected] Subject: [OSL | CCIE_Security] reverse route and set reverse route Hi all With IOS IPSec, we have two cmds for reverse route injection: router2(config-crypto-map)#set reverse-route ? distance Distance metric for this static route tag Create route and tag it router2(config-crypto-map)#reverse-route ? remote-peer Create route in route table for remote tunnel endpoint static Create routes based on static ACLs permanently My understanding For static site to site VPN, we should use "reverse-route" This will add a static route to remote site address in the interesting traffic acl. The "static" keyword will add the route permanently. Else the route will be removed when the tunnel is torn off. For EzVPN server, we should add "set reverse-route". For VTI based EzVPN server, it should added under IPSec profile. For dynamic vpns configured using dynamic crypto maps (given below), should we use "reverse-route" or "set reverse-route"? crypto dynamic-map dynmap 1 set transform-set tran match address 123 The IOS is inconsistent in it's behavior and hence I am not able to confirm the behaviour. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
