Re: [OSL | CCIE_Security] reverse route and set reverse route

[Michael Davis]

I see what you are saying.  I didn't know that you could use it with an L2L 
tunnel :)  I am going to try this and see what the route looks like.

From: Kingsley Charles [mailto:kingsley.char...@gmail.com]
Sent: Tuesday, April 06, 2010 6:37 PM
To: Michael Davis
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] reverse route and set reverse route

You are confusing "set reverse route" and "reverse route".

For L2L, you need to add static routes manually for remote proxy ids. Instead 
of adding manually, you can configure "reverse route" under the crypto map and 
this will add a route with next hop as the peer address in the crypto map.


With regards
Kings



On Tue, Apr 6, 2010 at 2:03 PM, Michael Davis 
<mich...@specialistit.com.au<mailto:mich...@specialistit.com.au>> wrote:
I don't think reverse route on L2L adds a static route for the networks in the 
proxy acl.  I thought it added a route when an address was pushed through the 
tunnel using mode config.  I have never tried used reverse-route injection with 
a L2L tunnel, but it doesn't make sense to use it when the 2 sites have static 
addresses with a route to each peer in the routing table.  For L2L you need a 
route to the peer and the proxied networks before the tunnel comes up.  I agree 
with the second statement for ezvpn.  Please correct me if I am wrong

From: 
ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>
 
[mailto:ccie_security-boun...@onlinestudylist.com<mailto:ccie_security-boun...@onlinestudylist.com>]
 On Behalf Of Kingsley Charles
Sent: Tuesday, April 06, 2010 6:23 PM
To: ccie_security@onlinestudylist.com<mailto:ccie_security@onlinestudylist.com>
Subject: [OSL | CCIE_Security] reverse route and set reverse route

Hi all

With IOS IPSec, we have two cmds for reverse route injection:

router2(config-crypto-map)#set reverse-route ?
  distance  Distance metric for this static route
  tag       Create route and tag it


router2(config-crypto-map)#reverse-route ?
  remote-peer  Create route in route table for remote tunnel endpoint
  static       Create routes based on static ACLs permanently


My understanding

For static site to site VPN, we should use "reverse-route" This will add a 
static route to remote site address in the interesting traffic acl.
The "static" keyword will add the route permanently. Else the route will be 
removed when the tunnel is torn off.

For EzVPN server, we should add "set reverse-route". For VTI based EzVPN 
server, it should added under IPSec profile.



For dynamic vpns configured using dynamic crypto maps (given below), should we 
use "reverse-route" or "set reverse-route"?

crypto dynamic-map dynmap 1
 set transform-set tran
 match address 123

The IOS is inconsistent in it's behavior and hence I am not able to confirm the 
behaviour.



With regards
Kings


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com