Kings, Looks to me like you have it down. As for you last question, which one produces the result you are looking for? Ultimately you are going to get a static route introduced to your routing table. You can then take that static route and redistribute it into any routing protocol you are running. I guess I'm not sure what you are asking?
Regards, Brandon Carroll - CCIE #23837 Senior Technical Instructor - IPexpert Mailto: [email protected] Telephone: +1.810.326.1444 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S, Voice, Security & Service Provider) certification(s) with training locations throughout the United States, Europe, South Asia and Australia. Be sure to visit our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com On Apr 6, 2010, at 1:23 AM, Kingsley Charles wrote: > Hi all > > With IOS IPSec, we have two cmds for reverse route injection: > > router2(config-crypto-map)#set reverse-route ? > distance Distance metric for this static route > tag Create route and tag it > > > router2(config-crypto-map)#reverse-route ? > remote-peer Create route in route table for remote tunnel endpoint > static Create routes based on static ACLs permanently > > > My understanding > > For static site to site VPN, we should use "reverse-route" This will add a > static route to remote site address in the interesting traffic acl. > The "static" keyword will add the route permanently. Else the route will be > removed when the tunnel is torn off. > > For EzVPN server, we should add "set reverse-route". For VTI based EzVPN > server, it should added under IPSec profile. > > > > For dynamic vpns configured using dynamic crypto maps (given below), should > we use "reverse-route" or "set reverse-route"? > > crypto dynamic-map dynmap 1 > set transform-set tran > match address 123 > > The IOS is inconsistent in it's behavior and hence I am not able to confirm > the behaviour. > > > > With regards > Kings > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
