Downloads |
Table Of Contents
Prerequisites for Reverse Route Injection
Restrictions for Reverse Route Injection
Information About Reverse Route Injection
Enhancements to Reverse Route Injection in Cisco IOS Release 12.4(15)T
Support for RRI on IPsec Profiles
Tag Option Configuration Changes
How to Configure Reverse Route Injection
Configuring RRI on Crypto Maps for Cisco IOS Releases Prior to 12.4(15)T
Configuring RRI Under a Static Crypto Map
Configuring RRI Under a Dynamic Map Template
Configuring RRI with Enhancements Added in Cisco IOS Release 12.4(15)T
Configuring RRI with Enhancements Under a Static Crypto Map
Configuring RRI with Enhancements Under a Dynamic Map Template
Configuring a RRI Distance Metric Under an IPsec Profile
Verifying Routes That Are Created Through IPsec via RRI or Easy VPN VTIs
Configuration Examples for Reverse Route Injection
Configuring RRI Prior to Cisco IOS Release 12.3(14)T: Examples
Configuring RRI When Crypto ACLs Exist: Example
Configuring RRI with Enhancements Added in Cisco IOS Release 12.3(14)T: Examples
Configuring RRI When Crypto ACLs Exist: Example
Configuring RRI with Route Tags: Example
Configuring RRI for One Route to the Remote Proxy via a User-Defined Next Hop: Example
Configuring RRI with Enhancements Added in Cisco IOS Release 12.4(15)T: Examples
Configuring a RRI Distance Metric Under a Crypto Map: Example
Configuring RRI with Route Tags: Example
debug and show Command Output for a RRI Distance Metric Configuration Under a Crypto Map: Example
Configuring a RRI Distance Metric for a VTI: Example
debug and show Command Output for a RRI Metric Configuration Having a VTI: Example
show crypto route Command Output: Example
Feature Information for Reverse Route Injection
Reverse Route Injection
First Published: August 16, 2001Last Updated: November 5, 2007Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities.
Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the next hop, the traffic is forced through the crypto process to be encrypted.
Enhancements to the default behavior of RRI, the addition of a route tag value, and enhancements to how RRI is configured were added to the Reverse Route Injection feature in Cisco IOS Release 12.3(14)T.
An enhancement was added in Cisco IOS Release 12.4(15)T that allows a distance metric to be set for routes that are created by a VPN process so that the dynamically learned route on a router can take precedence over a locally configured static route.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Reverse Route Injection" section.
Finding Support Information for Platforms and Cisco IOS Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Reverse Route Injection
•
•
•
•
•
Prerequisites for Reverse Route Injection
•
Restrictions for Reverse Route Injection
•
•
Information About Reverse Route Injection
To configure the Reverse Route Injection enhancements, you should understand the following concepts:
•
Reverse Route Injection
RRI is the ability for static routes to be automatically inserted into the routing process for those networks and hosts that are protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities.
Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote VPN router as the next hop, the traffic is forced through the crypto process to be encrypted.
After the static route is created on the VPN router, this information is propagated to upstream devices, allowing them to determine the appropriate VPN router to which to send returning traffic in order to maintain IPsec state flows. Being able to determine the appropriate VPN router is particularly useful if multiple VPN routers are used at a site to provide load balancing or failover or if the remote VPN devices are not accessible via a default route. Routes are created in either the global routing table or the appropriate virtual route forwarding (VRF) table.
RRI is applied on a per-crypto map basis, whether this is via a static crypto map or a dynamic crypto map template. The default behavior for the two map types is as follows:
•
•
Enhancements to Reverse Route Injection in Cisco IOS Release 12.4(15)T
The following enhancements have been added to the Reverse Route Injection feature in Cisco IOS Release 12.4(15)T:
•
•
RRI Distance Metric
In general, a static route is created having an administrative distance of 1, which means that static routes always have precedence in the routing table. In some scenarios, however, it is required that dynamically learned routes take precedence over static routes, with the static route being used in the absence of a dynamically learned route. The addition of the set reverse-route distance command under either a crypto map or IPsec profile allows you to specify a different distance metric for VPN-created routes so that those routes will be in effect only if a dynamic or more favored route becomes unavailable.
Gateway Option
This RRI gateway option is relevant to the crypto map only.
This option allows you to configure unique next hops or gateways for remote tunnel endpoints. The option is identical to the way the reverse-route remote-peer {ip-address} command worked prior to Cisco IOS Release 12.3(14)T in that two routes are created for each VPN tunnel. The first route is to the destination-protected subnet via the remote tunnel endpoint. The second route specifies the next hop to be taken to reach this tunnel endpoint. This RRI gateway option allows specific default paths to be specified for specific groups of VPN connections on platforms that support recursive route lookups.
Note
Support for RRI on IPsec Profiles
Previously RRI was available for crypto map configurations only. Cisco IOS Release 12.4(15)T introduces support for relevant RRI options on IPsec profiles that are predominantly used for virtual tunnel interfaces. On tunnel interfaces, only the distance metric and tag options are useful with the generic RRI capability.
Note
Tag Option Configuration Changes
The tag option was introduced in 12.3(14)T for crypto maps. This option is now supported with IPsec profiles under the set reverse-route tag command syntax. The set reverse-route tag command is also available under the crypto map for uniformity although the legacy reverse-route tag command is no longer supported.
show crypto route Command
The show crypto route command displays routes that are created through IPsec via RRI or Easy VPN virtual tunnel interfaces (VTIs). The routes are displayed in one table. To see sample output for the show crypto route command, see the section "show crypto route Command Output: Example."
How to Configure Reverse Route Injection
The following sections show how to configure reverse route injection for Cisco IOS software before Release 12.4(15)T and for Release 12.4(15)T.
•
•
Configuring RRI on Crypto Maps for Cisco IOS Releases Prior to 12.4(15)T
This section includes the following tasks:
•
•
Configuring RRI Under a Static Crypto Map
To configure RRI under a static crypto map for Cisco IOS software prior to Release 12.4(15)T, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring RRI Under a Dynamic Map Template
To configure RRI under a dynamic map template for Cisco IOS software prior to Release 12.4(15)T, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring RRI with Enhancements Added in Cisco IOS Release 12.4(15)T
The following sections show how to configure RRI with the enhancements that were added in Cisco IOS Release 12.4(15)T:
•
•
•
•
Configuring RRI with Enhancements Under a Static Crypto Map
To configure RRI with enhancements under a static crypto map (for Cisco IOS Release 12.4(15)T and later releases), perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring RRI with Enhancements Under a Dynamic Map Template
To configure RRI with enhancements under a dynamic map template (for Cisco IOS Release 12.4(15)T and later releases), perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Configuring a RRI Distance Metric Under an IPsec Profile
To configure a RRI distance metric under an IPsec profile for Cisco IOS Release 12.4(15)T and later releases, perform the following steps:
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Verifying Routes That Are Created Through IPsec via RRI or Easy VPN VTIs
To display routes that are created through IPsec via RRI or Easy VPN VTIs, perform the following steps.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Troubleshooting Tips
To observe the behavior of RRI and its relationship to the creation and deletion of an IPsec SA, you can use the debug crypto ipsec command (see the Cisco IOS Debug Command Reference, Release 12.4T).
Configuration Examples for Reverse Route Injection
This section contains the following sections:
•
•
•
Configuring RRI Prior to Cisco IOS Release 12.3(14)T: Examples
The following are examples of RRI configurations and output before Cisco IOS Release 12.3(14))T:
•
Configuring RRI When Crypto ACLs Exist: Example
The following example shows that all remote VPN gateways connect to the router via 192.168.0.3. RRI is added on the static crypto map, which creates routes on the basis of the source network and source netmask that are defined in the crypto access control list (ACL):
crypto map mymap 1 ipsec-isakmpset peer 10.1.1.1reverse-routeset transform-set esp-3des-shamatch address 102Interface FastEthernet 0/0ip address 192.168.0.2 255.255.255.0standby name group1standby ip 192.168.0.3crypto map mymap redundancy group1access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255In Cisco IOS Release 12.3(14)T and later releases, for the static map to retain this same behavior of creating routes on the basis of crypto ACL content, the static keyword is required, that is, reverse-route static.
Note
Remote Tunnel Endpoint
ip route 10.1.1.1 255.255.255.255 192.168.1.1VPNSM
ip route 10.1.1.1 255.255.255.255 vlan0.1
Configuring RRI When Two Routes Are Created, One for the Remote Endpoint and One for Route Recursion: Example
In the following example, two routes are created, one for the remote endpoint and one for route recursion to the remote endpoint via the interface on which the crypto map is configured:
reverse-route remote-peerConfiguring RRI with Enhancements Added in Cisco IOS Release 12.3(14)T: Examples
The following are examples of configurations and output for RRI enhancements that were added in Cisco IOS Release 12.3(14)T.
•
•
•
Configuring RRI When Crypto ACLs Exist: Example
The following example shows that RRI has been configured for a situation in which there are existing ACLs:
crypto map mymap 1 ipsec-isakmpset peer 172.17.11.1reverse-route staticset transform-set esp-3des-shamatch address 101access-list 101 permit ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255Configuring RRI with Route Tags: Example
The following example shows how RRI-created routes can be tagged with a tag number and then used by a routing process to redistribute those tagged routes via a route map:
crypto dynamic-map ospf-clients 1reverse-route tag 5router ospf 109redistribute rip route-map rip-to-ospfroute-map rip-to-ospf permitmatch tag 5set metric 5set metric-type type1Router# show ip ospf topologyP 10.81.7.48/29, 1 successors, FD is 2588160, tag is 5via 192.168.82.25 (2588160/2585600), FastEthernet0/1Configuring RRI for One Route to the Remote Proxy via a User-Defined Next Hop: Example
Note
The preceding example shows that one route has been created to the remote proxy via a user-defined next hop. This next hop should not require a recursive route lookup unless it will recurse to a default route.
reverse-route remote-peer 10.4.4.4The preceding example yields the following prior to Cisco IOS Release 12.3(14)T:
10.0.0.0/24 via 10.1.1.1 (in the VRF table if VRFs are configured)10.1.1.1/32 via 10.4.4.4 (in the global route table)And this result occurs with RRI enhancements:
10.0.0.0/24 via 10.4.4.4 (in the VRF table if VRFs are configured, otherwise in the global table)Configuring RRI with Enhancements Added in Cisco IOS Release 12.4(15)T: Examples
The following are examples of configurations and output for RRI enhancements that were added in Cisco IOS Release 12.4(15)T.
•
•
•
•
•
•
Configuring a RRI Distance Metric Under a Crypto Map: Example
The following configuration shows a server and client configuration for which a RRI distance metric has been set under a crypto map:
Server
crypto dynamic-map mymapset security-association lifetime seconds 300set transform-set 3desshaset isakmp-profile profile1set reverse-route distance 20reverse-routeClient
crypto ipsec client ezvpn ezconnect autogroup cisco key ciscomode clientpeer 10.0.0.119username XXX password XXXxauth userid mode localConfiguring RRI with Route Tags: Example
The following example shows how RRI-created routes can be tagged with a tag number and then used by a routing process to redistribute those tagged routes via a route map:
crypto dynamic-map ospf-clients 1set reverse-route tag 5router ospf 109redistribute rip route-map rip-to-ospfroute-map rip-to-ospf permitmatch tag 5set metric 5set metric-type type1Router# show ip ospf topologyP 10.81.7.48/29, 1 successors, FD is 2588160, tag is 5via 192.168.82.25 (2588160/2585600), FastEthernet0/1
debug and show Command Output for a RRI Distance Metric Configuration Under a Crypto Map: Example
The following are debug and show command output for a RRI distance metric configuration under a crypto map on a server:
Router# debug crypto ipsec00:23:37: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) INBOUND local= 10.0.0.119, remote= 10.0.0.14,local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),remote_proxy= 192.168.6.1/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),lifedur= 0s and 0kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x000:23:37: IPSEC(key_engine): got a queue event with 1 KMI message(s)00:23:37: IPSEC(rte_mgr): VPN Route Event create routes for peer or rekeying for10.0.0.12800:23:37: IPSEC(rte_mgr): VPN Route Refcount 1 FastEthernet0/000:23:37: IPSEC(rte_mgr): VPN Route Added 192.168.6.1 255.255.255.255 via 10.0.0.14 in IP DEFAULT TABLE with tag 0 distance 2000:23:37: IPSEC(policy_db_add_ident): src 0.0.0.0, dest 192.168.6.1, dest_port 0Router# show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is 10.0.0.14 to network 0.0.0.0C 192.200.200.0/24 is directly connected, Loopback010.20.20.20/24 is subnetted, 1 subnetsC 10.30.30.30 is directly connected, Loopback4C 192.168.5.0/24 is directly connected, Loopback310.20.20.20/24 is subnetted, 2 subnetsS 10.3.1.0 [1/0] via 10.0.0.113C 10.20.20.20 is directly connected, FastEthernet0/0192.168.6.0/32 is subnetted, 1 subnetsS 192.168.6.1 [20/0] via 10.0.0.14C 192.168.3.0/24 is directly connected, Loopback210.15.0.0/24 is subnetted, 1 subnetsC 10.15.0.0 is directly connected, Loopback6S* 0.0.0.0/0 [1/0] via 10.0.0.14Configuring a RRI Distance Metric for a VTI: Example
The following configuration shows a server and client configuration in which a RRI distance metric has been set for a VTI:
Server Configuration
crypto isakmp profile profile1keyring mykeyringmatch identity group ciscoclient authentication list authenlistisakmp authorization list autholistclient configuration address respondvirtual-template 1crypto ipsec profile viset transform-set 3desshaset reverse-route distance 20set isakmp-profile profile1!interface Virtual-Template1 type tunnelip unnumberedtunnel mode ipsec ipv4tunnel protection ipsec profile viClient Configuration
crypto ipsec client ezvpn ezconnect autogroup cisco key ciscomode clientpeer 10.0.0.119username XXX password XXXvirtual-interface 1debug and show Command Output for a RRI Metric Configuration Having a VTI: Example
The following are debug and show command output for a RRI metric configuration for a VTI on a server:
Router# debug crypto ipsec00:47:56: IPSEC(key_engine): got a queue event with 1 KMI message(s)00:47:56: Crypto mapdb : proxy_matchsrc addr : 0.0.0.0dst addr : 192.168.6.1protocol : 0src port : 0dst port : 000:47:56: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.0.0.1400:47:56: IPSEC(rte_mgr): VPN Route Event create routes for peer or rekeying for10.0.0.1400:47:56: IPSEC(rte_mgr): VPN Route Refcount 1 Virtual-Access200:47:56: IPSEC(rte_mgr): VPN Route Added 192.168.6.1 255.255.255.255 via Virtual-Access2 in IP DEFAULT TABLE with tag 0 distance 2000:47:56: IPSEC(policy_db_add_ident): src 0.0.0.0, dest 192.168.6.1, dest_port 000:47:56: IPSEC(create_sa): sa created,(sa) sa_dest= 10.0.0.110, sa_proto= 50,sa_spi= 0x19E1175C(434181980),sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 8700:47:56: IPSEC(create_sa): sa created,(sa) sa_dest= 10.0.0.14, sa_proto= 50,sa_spi= 0xADC90C5(182227141),sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 8800:47:56: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up00:47:56: IPSEC(key_engine): got a queue event with 1 KMI message(s)00:47:56: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP00:47:56: IPSEC(key_engine_enable_outbound): enable SA with spi 182227141/5000:47:56: IPSEC(update_current_outbound_sa): updated peer 10.0.0.14 current outbound sa to SPI ADC90C5Router# show ip routeCodes: C - connected, S - static, R - RIP, M - mobile, B - BGPD - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter areaN1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2ia - IS-IS inter area, * - candidate default, U - per-user static routeo - ODR, P - periodic downloaded static routeGateway of last resort is 10.0.0.14 to network 0.0.0.0C 192.200.200.0/24 is directly connected, Loopback010.20.20.20/24 is subnetted, 1 subnetsC 10.30.30.30 is directly connected, Loopback4C 192.168.5.0/24 is directly connected, Loopback310.20.20.20/24 is subnetted, 2 subnetsS 10.3.1.0 [1/0] via 10.0.0.113C 10.20.20.20 is directly connected, FastEthernet0/0192.168.6.0/32 is subnetted, 1 subnetsS 192.168.6.1 [20/0] via 0.0.0.0, Virtual-Access2C 192.168.3.0/24 is directly connected, Loopback210.15.0.0/24 is subnetted, 1 subnetsC 10.15.0.0 is directly connected, Loopback6S* 0.0.0.0/0 [1/0] via 10.0.0.14show crypto route Command Output: Example
The following output example displays routes, in one table, that are created through IPsec via RRI or Easy VPN VTIs:
Router# show crypto routeVPN Routing Table: Shows RRI and VTI created routesCodes: RRI - Reverse-Route, VTI- Virtual Tunnel InterfaceS - Static Map ACLsRoutes created in table GLOBAL DEFAULT192.168.6.2/255.255.255.255 [0/0] via 10.0.0.133on Virtual-Access3 RRI10.1.1.0/255.255.255.0 [10/0] via Virtual-Access2 VTI192.168.6.1/255.255.255.255 [0/0] via Virtual-Access2 VTIAdditional References
The following sections provide references related to Reverse Route Injection enhancements.
Related Documents
Cisco IOS Security commands
Cisco IOS Security Command Reference, Release 12.4T
Other Cisco IOS commands
Cisco IOS Command Reference, Release 12.4T
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents only commands that are new or modified.
reverse-route
To create source proxy information for a crypto map entry, use the reverse-route command in crypto map configuration mode. To remove the source proxy information from a crypto map entry, use the no form of this command.
Effective with Cisco IOS Release 12.4(15)T
reverse-route [static | remote-peer ip-address [gateway ] [static]]
no reverse-route [static | remote-peer ip-address [gateway ] [static]]
Before Cisco IOS Release 12.4(15)T
reverse-route [static | tag tag-id [static] | remote-peer [static] | remote-peer ip-address [static]]
no reverse-route [static | tag tag-id [static] | remote-peer [static] | remote-peer ip-address [static]]
Syntax Description
Defaults
No default behavior or values.
Command Modes
Crypto map configuration (config-crypto-map)
Command History
Usage Guidelines
This command can be applied on a per-crypto map basis.
Reverse route injection (RRI) provides a scalable mechanism to dynamically learn and advertise the IP address and subnets that belong to a remote site that connects through an IP Security (IPSec) Virtual Private Network (VPN) tunnel.
When enabled in an IPSec crypto map, RRI will learn all the subnets from any network that is defined in the crypto ACL as the destination network. The learned routes are installed into the local routing table as static routes that point to the encrypted interface. When the IPSec tunnel is torn down, the associated static routes will be removed. These static routes may then be redistributed into other dynamic routing protocols so that they can be advertised to other parts of the network (usually done by redistributing RRI routes into dynamic routing protocols on the core side).
Examples
Before Cisco IOS Release 12.3(14)T
The following is an example in which RRI has been configured when crypto ACLs exist. The example shows that all remote VPN gateways connect to the router via 192.168.0.3. RRI is added on the static crypto map, which creates routes on the basis of the source network and source netmask that are defined in the crypto ACL.
crypto map mymap 1 ipsec-isakmpset peer 10.1.1.1reverse-routeset transform-set esp-3des-shamatch address 102Interface FastEthernet 0/0ip address 192.168.0.2 255.255.255.0standby name group1standby ip 192.168.0.3crypto map mymap redundancy group1access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255
Note
The reverse-route command in this situation creates routes that are analogous to the following static route command-line interface (CLI) commands (ip route):
•
ip route 10.1.1.1 255.255.255.255 192.168.1.1•
ip route 10.1.1.1 255.255.255.255 vlan0.1In the following example, two routes are created, one for the remote endpoint and one for route recursion to the remote endpoint via the interface on which the crypto map is configured.
reverse-route remote-peerConfiguring RRI with the Enhancements Added in Cisco IOS Release 12.3(14)T
The following configuration example shows that RRI has been configured for a situation in which there are existing ACLs:
crypto map mymap 1 ipsec-isakmpset peer 172.17.11.1reverse-route staticset transform-set esp-3des-shamatch address 101access-list 101 permit ip 192.168.1.0 0.0.0.255 172.17.11.0 0.0.0.255The following example shows how RRI-created routes can be tagged with a tag number and then used by a routing process to redistribute those tagged routes via a route map:
crypto dynamic-map ospf-clients 1reverse-route tag 5router ospf 109redistribute rip route-map rip-to-ospfroute-map rip-to-ospf permitmatch tag 5set metric 5set metric-type type1Router# show ip ospf topologyP 10.81.7.48/29, 1 successors, FD is 2588160, tag is 5via 192.168.82.25 (2588160/2585600), FastEthernet0/1The following example shows that one route has been created to the remote proxy via a user-defined next hop. This next hop should not require a recursive route lookup unless it will recurse to a default route.
reverse-route remote-peer 10.4.4.4The previous example yields the following before Cisco IOS Release 12.3(14)T:
10.0.0.0/24 via 10.1.1.1 (in the VRF table if VRFs are configured)10.1.1.1/32 via 10.4.4.4 (in the global route table)And this result occurs with RRI enhancements:
10.0.0.0/24 via 10.4.4.4 (in the VRF table if VRFs are configured, otherwise in the global table)Effective with Cisco IOS Release 12.4(15)T
In the following example, routes are created from the destination information in the access control list (ACL). One route will list 10.2.2.2 as the next hop route to the ACL information, and one will indicate that to get to 10.2.2.2, the route will have to go by way of 10.1.1.1. All routes will have a metric of 10. Routes are created only at the time the map and specific ACL rule are created.
crypto map map1 1 ipsec-isakmpset peer 10.2.2.2reverse-route remote-peer 10.1.1.1 gatewayset reverse-route distance 10match address 101Configuring RRI with Route Tags 12.4(15)T or later: ExampleThe following example shows how RRI-created routes can be tagged with a tag number and then used by a routing process to redistribute those tagged routes via a route map:
crypto dynamic-map ospf-clients 1set reverse-route tag 5router ospf 109redistribute rip route-map rip-to-ospfroute-map rip-to-ospf permitmatch tag 5set metric 5set metric-type type1Router# show ip ospf topologyP 10.81.7.48/29, 1 successors, FD is 2588160, tag is 5via 192.168.82.25 (2588160/2585600), FastEthernet0/1Related Commands
set reverse-route
To define a distance metric for each static route or to tag a reverse route injection- (RRI-) created route, use the set reverse route command in crypto map or ipsec profile configuration mode. To delete the tag or distance metric, use the no form of the command.
set reverse-route [distance number | tag tag-id]
no set reverse-route [distance number | tag tag-id]
Syntax Description
Command Default
The distance metric is 1 and the tag is 0.
Command Modes
Crypto map configuration (config-crypto-map)
Ipsec profile configuration (config-crypto-profile)Command History
12.4(15)T
This command was introduced. The set reverse-route tag tag-id command, keyword, and argument replaced the reverse-route tag tag-id command, keyword, and argument.
This command can be applied on a per-crypto map basis or to a virtual tunnel interface (VTI) in a reverse route (RRI) configuration.
RRI provides a scalable mechanism to dynamically learn and advertise the IP address and subnets that belong to a remote site that connects through an IP Security (IPsec) Virtual Private Network (VPN) tunnel.
When enabled in an IPsec crypto map, RRI will learn all the subnets from any network that is defined in the crypto ACL as the destination network. The learned routes are installed into the local routing table as static routes that point to the encrypted interface. When the IPsec tunnel is torn down, the associated static routes will be removed. These static routes may then be redistributed into other dynamic routing protocols so that they can be advertised to other parts of the network (usually by redistributing RRI routes into dynamic routing protocols on the core side).
The set reverse-route command provides a way to configure a server so that a dynamically learned route can take precedence over static routes. The static routes are used only in the absence of the dynamically learned route.
Examples
The following example shows that the metric distance for each dynamically route is set to 20 in a crypto map situation. The configuration is on an Easy VPN server.
crypto dynamic-map mode 1set security-association lifetime seconds 300set transform-set 3desshaset isakmp-profile profile2set reverse-route distance 20reverse-routeThe following example shows that the metric distance for each dynamic route is set to 20 for a virtual tunnel interface (VTI). The configuration is on an Easy VPN server.
crypto isakmp profile profile1keyring mykeyringmatch identity group examplegroupclient authentication list authenlistisakmp authorization list autholistclient configuration address respondvirtual-template 1crypto ipsec profile viset transform-set 3desshaset reverse-route distance 20set isakmp-profile profile1!interface Virtual-Template1 type tunnelip unnumberedtunnel mode ipsec ipv4tunnel protection ipsec profile vi
Related Commands
debug crypto ipsec
Displays IPsec events.
reverse-route
Creates source proxy information for a crypto map entry.
show crypto route
To display routes that are created through IPsec via Reverse Route Injection (RRI) or Easy VPN virtual tunnel interfaces (VTIs) in one table, use the show crypto route command in privileged EXEC mode.
show crypto route
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example displays routes that were created through IPSec using RRI and VTIs:
Router# show crypto routeVPN Routing Table: Shows RRI and VTI created routesCodes: RRI - Reverse-Route, VTI- Virtual Tunnel InterfaceS - Static Map ACLsRoutes created in table GLOBAL DEFAULT192.168.6.2/255.255.255.255 [0/0] via 10.0.0.133on Virtual-Access3 RRI10.1.1.0/255.255.255.0 [10/0] via Virtual-Access2 VTI192.168.6.1/255.255.255.255 [0/0] via Virtual-Access2 VTIThe fields in the above display are self-explanatory.
Related Commands
reverse-route
Creates source proxy information for a crypto map entry.
set reverse-route
Defines a distance metric for each static route or tags a RRI-created route.
Feature Information for Reverse Route Injection
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Reverse Route Injection
Reverse Route Injection
12.1(9)E
12.2(8)T
12.2(8)YE
Reverse route injection (RRI) is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities.
Each route is created on the basis of the remote proxy network and mask, with the next hop to this network being the remote tunnel endpoint. By using the remote Virtual Private Network (VPN) router as the next hop, the traffic is forced through the crypto process to be encrypted.
The following sections provide information about this feature:
•
The following commands were introduced or modified by this feature: reverse-route.
Reverse Route Remote Peer Options
12.2(13)T
12.2(14)S
An enhancement was added to RRI to allow you to specify an interface or address as the explicit next hop to the remote VPN device. This functionality allows the overriding of a default route to properly direct outgoing encrypted packets.
The following sections provide information about the remote peer options:
•
Reverse Route Injection Enhancements
12.3(14)T
12.2(33)SRA
12.2(33)SXHThe following enhancements were added to the Reverse Route Injection feature:
•
•
•
•
The following sections provide information about the Reverse Route Injection enhancements:
•
•
•
•
•
•
The following command was modified by these feature enhancements: reverse-route.
Gateway Option
12.4(15)T
This option allows you to configure unique next hops or gateways for remote tunnel endpoints.
The following section provides information about the Gateway Option:
RRI Distance Metric
12.4(15)T
This enhancement allows you to define a metric distance for each static route.
The following sections provide information about the RRI distance metric enhancement.
•
•
•
•
The following commands were introduced or modified by this feature: reverse-route, set reverse-route.
show crypto route Command
12.4(15)T
This command displays routes that are created through IPsec via RRI or Easy VPN VTIs.
The following section provides information about the show crypto route command:
Support for RRI on IPsec Profiles
12.4(15)T
This feature provides support for relevant RRI options on IPsec profiles that are predominantly used by VTIs.
The following section provides information about the Support for RRI on IPsec Profiles feature:
Tag Option Configuration Changes
12.4(15)T
The tag option is now supported with IPsec profiles under the set reverse-route tag command.
The following section provides information about this feature enhancement:
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2001-2007 Cisco Systems, Inc. All rights reserved.
