Configure the Easy VPN Server
Task 6 – create a dynamic crypto map with RRI

This task creates a dynamic crypto map to be used when building IPSec tunnels to Easy VPN Remote clients. In this example, RRI is used to ensure that returning data destined for a particular IPSec tunnel can find that tunnel. RRI ensures that a static route is created on the Easy VPN Server for each client internal IP address.

Complete the following steps to create the dynamic crypto map with RRI :

Step 1 Create a dynamic crypto map.
Step 2 Assign a transform set to the crypto map.
Step 3 Enable RRI.

Step 1 Create a Dynamic Crypto Map
Create a dynamic crypto map entry and enter the crypto map configuration mode using the crypto dynamic-map command .

A dynamic crypto map entry is essentially a crypto map entry without all of the parameters configured. It acts as a policy template where the missing parameters are later dynamically configured, as the result of an IPSec negotiation, to match the requirements of as remote peer. This practice allows remote peers to exchange IPSec traffic with the router even if the router does not have a crypto map entry specifically configured to meet all of the requirements of the remote peer.

Dynamic crypto maps are:

  • Not used by the router to initiate new IPSec SAs with remote peers.
  • Used when a remote peer tries to initiate an IPSec SA with the router.
  • Used in evaluating traffic.

Step 2 Assign a Transform Set to the Crypto Map
Specify which transform sets are allowed for the crypto map entry using the set transform-set command . When using this command, be sure to list multiple transform sets in order of priority, with the highest priority listed first. Note that this is the only configuration statement required in dynamic crypto map entries.

Step 3 Enable RRI
Enable RRI using the reverse-route command . This command has no arguments or keywords.


Web Links