Hi guys!
I have a dynamic to static vpn-tunnel between two routers. Like this, where
R1 is the statically defined headend:
R1:
ip access-list extended VPN
permit ip host 1.1.1.1 host 2.2.2.2
!
crypto isakmp key cisco address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto dynamic-map R2-DYN 10
set transform-set TSET
match address VPN
!
crypto map CMAP 10 ipsec-isakmp dynamic R2-DYN
!
int fa0/0
crypto map CMAP
R2:
ip access-list extended VPN
permit ip host 2.2.2.2 host 1.1.1.1
!
crypto isakmp key cisco address 172.16.1.1
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto map CMAP 10 ipsec-isakmp
set peer 172.16.1.1
set transform-set TSET
match address VPN
reverse-route static
!
int fa0/0
crypto map CMAP
On R2 the route to 1.1.1.1 shows up in the routing-table (fa0/0 on the
routers are directly connected, no other routes whatsoever) because of the
reverse-route static in the crypto map. But without solving the routing on
R1 there is no way for the return traffic to get back:
R1(config)#
*Mar 1 00:39:22.095: IP: tableid=0, s=2.2.2.2 (FastEthernet0/0), d=1.1.1.1
(Loopback10), routed via RIB
*Mar 1 00:39:22.099: IP: s=2.2.2.2 (FastEthernet0/0), d=1.1.1.1, len 100,
rcvd 4
*Mar 1 00:39:22.103: IP: s=1.1.1.1 (local), d=2.2.2.2, len 100, unroutable
Adding the "reverse-route" to the dynamic-map of R1 doesnt help:
R1(config)#crypto dynamic-map R2-DYN 10
R1(config-crypto-map)#reverse-route
R1(config-crypto-map)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static
route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
C 1.1.1.1 is directly connected, Loopback10
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, FastEthernet0/0
R1(config-crypto-map)#
Questions:
1) What options are there (except for creating a static route manually) for
solving the routing on R1? I tried doing a route-map but it doesn´t seem to
help:
route-map VPN permit 10
match ip address VPN
set interface FastEthernet0/0
interface Loopback10
ip address 1.1.1.1 255.255.255.255
ip route-cache flow
ip policy route-map VPN
end
2) What is the difference between "reverse-route" and "set reverse-route" in
a crypto map?
This is not WB task-specific, I am just fiddling around in dynamips while
traveling by train. ;)
Br Jimmy
--
-------
Jimmy Larsson
Ryavagen 173
s-26030 Vallakra
Sweden
http://blogg.kvistofta.nu
-------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
