This task creates a dynamic crypto map to be used when building
IPSec tunnels to Easy VPN Remote clients. In this example, RRI is used to
ensure that returning data destined for a particular IPSec tunnel can find that
tunnel. RRI ensures that a static route is created on the Easy VPN Server for
each client internal IP address.
Complete the following steps to create
the dynamic crypto map with RRI
:
Step 1 Create a dynamic crypto map.
Step 2 Assign a transform set to the crypto
map.
Step 3 Enable RRI.
Step 1 Create a Dynamic Crypto Map
Create a dynamic crypto map
entry and enter the crypto map configuration mode using the crypto
dynamic-map command
.
A
dynamic crypto map entry is essentially a crypto map entry without all of the
parameters configured. It acts as a policy template where the missing
parameters are later dynamically configured, as the result of an IPSec
negotiation, to match the requirements of as remote peer. This practice allows
remote peers to exchange IPSec traffic with the router even if the router does
not have a crypto map entry specifically configured to meet all of the
requirements of the remote peer.
Dynamic crypto maps are:
- Not used by the router to initiate new IPSec SAs with remote peers.
- Used when a remote peer tries to initiate an IPSec SA with the router.
- Used in evaluating traffic.
Step 2 Assign a Transform Set to the Crypto Map
Specify which
transform sets are allowed for the crypto map entry using the set
transform-set command
. When using this
command, be sure to list multiple transform sets in order of priority, with the
highest priority listed first. Note that this is the only configuration
statement required in dynamic crypto map entries.
Step 3 Enable
RRI
Enable RRI using the reverse-route command
. This command
has no arguments or keywords.