I. Overview:Before the reverse routing injection of LAN-to-LAN, I thought it was to inject the static routing configuration of the encryption point about the stream of interest to another encryption point. I tested it today, therefore, it is recorded.Ii. test ideas and results:A. Ideas:① Configure the LAN-to-lan ipsec vpn of PIX8.0 ② verify whether set reverse-route needs to be configured on both sides, or, you only need to configure it on one side. ③ verify what the route entry for reverse injection is and whether it is related to the static route of the encryption point.B. Result:① Set reverse-route only needs to be configured on one side, which encryption point is configured, and on which encryption point a static route with reverse injection appears ---- Of course, if both sides are configured, there are 2 injected route entries on both sides. In fact, the target network of the stream is of interest, and there is no relationship with the static route of the encryption point, it has nothing to do with whether a VPN connection is established. You can verify the connection by changing the mask of the stream you are interested in.
----- If the router uses the tunnel interface to establish an L2L VPN that does not need to know the stream of interest, it should be no job to configure reverse route injection.
Iii. Test topology:650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09443010C-0.jpg "title =" 2.JPG" alt = "123938983.jpg"/> Iv. Test procedure:---- Refer to previous blog: http://333234.blog.51cto.com/323234/1253465
A. Basic Configuration:
① FW1:
---- Interface Configuration:
Interface Ethernet0
Nameif Inside
Security-level 100
Ip address 192.168.1.1 255.255.255.0
No shut
Interface Ethernet1
Nameif Outside
Security-level 0
Ip address 202.100.1.1 255.255.255.0
No shut
---- Route Configuration:
Route Outside 0.0.0.0 0.0.0.0 202.100.1.10
---- Policy Configuration:
Access-list OUTSIDE extended permit icmp any
Access-group OUTSIDE in interface Outside
---- PAT Configuration:
Access-list PAT extended permit ip 192.168.0.0 255.255.0.0 any
Access-list NONAT extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.255.0.0
Global (Outside) 1 interface
Nat (Inside) 0 access-list NONAT
Nat (Inside) 1 access-list PAT
② FW2:
---- Interface Configuration:
Interface Ethernet0
Nameif Inside
Security-level 100
Ip address 172.16.1.1 255.255.255.0
No shut
Interface Ethernet1
Nameif Outside
Security-level 0
Ip address 202.100.2.1 255.255.255.0
No shut
---- Route Configuration:
Route Outside 0.0.0.0 0.0.0.0 202.100.2.10
---- Policy Configuration:
Access-list OUTSIDE extended permit icmp any
Access-group OUTSIDE in interface Outside
---- PAT Configuration:
Access-list PAT extended permit ip 172.16.0.0 255.255.0.0 any
Access-list NONAT extended permit ip 172.16.0.0 255.255.0.0 192.168.0.0 255.255.0.0
Global (Outside) 1 interface
Nat (Inside) 0 access-list NONAT
Nat (Inside) 1 access-list PAT
B. VPN configuration:
① FW1:
---- Stage 1 strategy:
Crypto isakmp policy 10
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Tunnel-group 202.100.2.1 type ipsec-l2l
Tunnel-group 202.100.2.1 ipsec-attributes
Pre-shared-key cisco
---- Phase 2 conversion set:
Crypto ipsec transform-set transet esp-des esp-md5-hmac
---- Streams of interest:
Access-list VPN extended permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.255.0.0
④ Configure crypto map and apply it. Enable isakmp on the interface:
Crypto map crymap 20 match address VPN
Crypto map crymap 20 set peer 202.100.2.1
Crypto map crymap 20 set transform-set transet
Crypto map crymap interface Outside
Crypto isakmp enable Outside
① FW2:
---- Stage 1 strategy:
Crypto isakmp policy 10
Authentication pre-share
Encryption 3des
Hash md5
Group 2
Tunnel-group 202.100.1.1 type ipsec-l2l
Tunnel-group 202.100.1.1 ipsec-attributes
Pre-shared-key cisco
---- Phase 2 conversion set:
Crypto ipsec transform-set transet esp-des esp-md5-hmac
---- Streams of interest:
Access-list VPN extended permit ip 172.16.0.0 255.255.255.0.0 192.168.0.0 255.255.0.0
④ Configure crypto map and apply it. Enable isakmp on the interface:
Crypto map crymap 20 match address VPN
Crypto map crymap 20 set peer 202.100.1.1
Crypto map crymap 20 set transform-set transet
Crypto map crymap interface Outside
Crypto isakmp enable Outside
C. test:
① You do not need to trigger the VPN. Check the firewall's outside interface route. You can see that there is only one default route.
---- Because no reverse route injection is configured
FW1 (config) # show route outside
Codes: C-connected, S-static, I-IGRP, R-RIP, M-mobile, B-BGP
D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area
N1-ospf nssa external type 1, N2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2, E-EGP
I-IS, L1-IS level-1, L2-IS level-2, ia-IS inter area
*-Candidate default, U-per-user static route, o-ODR
P-periodic downloaded static route
Gateway of last resort is 202.100.1.10 to network 0.0.0.0
C 202.100.1.0 255.255.255.0 is directly connected, Outside
S * 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside
FW1 (config )#
② Add the reverse route injection configuration, and you do not need to trigger the VPN. You can see that there is one more static route on the outside.
FW1 (config) # crypto map crymap 20 set reverse-route
FW1 (config) # show route outside
Codes: C-connected, S-static, I-IGRP, R-RIP, M-mobile, B-BGP
D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area
N1-ospf nssa external type 1, N2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2, E-EGP
I-IS, L1-IS level-1, L2-IS level-2, ia-IS inter area
*-Candidate default, U-per-user static route, o-ODR
P-periodic downloaded static route
Gateway of last resort is 202.100.1.10 to network 0.0.0.0
S 172.16.0.0 255.255.0.0 [1/0] via 202.100.1.10, Outside
C 202.100.1.0 255.255.255.0 is directly connected, Outside
S * 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside
③ Modify the ACL of the stream of interest, and the static route also changes.
FW1 (config) # access-list VPN extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
FW1 (config) # show route outside
Codes: C-connected, S-static, I-IGRP, R-RIP, M-mobile, B-BGP
D-OSPF, EX-VPN external, O-OSPF, IA-OSPF inter area
N1-ospf nssa external type 1, N2-ospf nssa external type 2
E1-OSPF external type 1, E2-OSPF external type 2, E-EGP
I-IS, L1-IS level-1, L2-IS level-2, ia-IS inter area
*-Candidate default, U-per-user static route, o-ODR
P-periodic downloaded static route
Gateway of last resort is 202.100.1.10 to network 0.0.0.0
S 172.16.0.0 255.255.0.0 [1/0] via 202.100.1.10, Outside
S 172.16.1.0 255.255.255.0 [1/0] via 202.100.1.10, Outside
C 202.100.1.0 255.255.255.0 is directly connected, Outside
S * 0.0.0.0 0.0.0.0 [1/0] via 202.100.1.10, Outside
---- The original interest stream was not deleted, but added a more detailed ACL and a more detailed route for Static Routing.
---- It can be seen that the reverse route injection entries are only related to the target network of the stream of interest, and are irrelevant to whether to trigger the VPN.
This article is from the "httpyuntianjxxll. spac..." blog, please be sure to keep this source http://333234.blog.51cto.com/323234/1298859
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
