You are confusing "set reverse route" and "reverse route".
For L2L, you need to add static routes manually for remote proxy ids. Instead of adding manually, you can configure "reverse route" under the crypto map and this will add a route with next hop as the peer address in the crypto map. With regards Kings On Tue, Apr 6, 2010 at 2:03 PM, Michael Davis <[email protected]>wrote: > I don’t think reverse route on L2L adds a static route for the networks > in the proxy acl. I thought it added a route when an address was pushed > through the tunnel using mode config. I have never tried used reverse-route > injection with a L2L tunnel, but it doesn’t make sense to use it when the 2 > sites have static addresses with a route to each peer in the routing table. > For L2L you need a route to the peer and the proxied networks before the > tunnel comes up. I agree with the second statement for ezvpn. Please > correct me if I am wrong > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Tuesday, April 06, 2010 6:23 PM > *To:* [email protected] > *Subject:* [OSL | CCIE_Security] reverse route and set reverse route > > > > Hi all > > > > With IOS IPSec, we have two cmds for reverse route injection: > > > > router2(config-crypto-map)#set reverse-route ? > distance Distance metric for this static route > tag Create route and tag it > > > > > > router2(config-crypto-map)#reverse-route ? > remote-peer Create route in route table for remote tunnel endpoint > static Create routes based on static ACLs permanently > > > > > > My understanding > > > > For static site to site VPN, we should use "reverse-route" This will add a > static route to remote site address in the interesting traffic acl. > > The "static" keyword will add the route permanently. Else the route will be > removed when the tunnel is torn off. > > > > For EzVPN server, we should add "set reverse-route". For VTI based EzVPN > server, it should added under IPSec profile. > > > > > > > > For dynamic vpns configured using dynamic crypto maps (given below), should > we use "reverse-route" or "set reverse-route"? > > > > crypto dynamic-map dynmap 1 > set transform-set tran > match address 123 > > > > The IOS is inconsistent in it's behavior and hence I am not able to confirm > the behaviour. > > > > > > > > With regards > > Kings >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
