I am building some IPSEC tunnels where thje remote locations have Dynamic IP addresses. It works fine, but I need to add more sites, right now I just have the one. When I add the reverse route statement, i start getting 50% packet loss based on ping responses "!.!.!.!.!.!.!.!" If I remove the RR it works fine. "!!!!!!!!!!" Question is, what am I doing wrong or do I really need the reverse route? Right now the ACL is for the one subnet for current location, but I will be adding more sites. How would I adjust the ACL for more remote subnets if the remote sites are doing split tunneling and the ACLs must match?
crypto isakmp policy 1
crypto isakmp key (PASSWORD) address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 20 periodic
crypto ipsec security-association lifetime seconds 1800
crypto ipsec transform-set NAMECRYPTset esp-3des esp-md5-hmac
crypto dynamic-map NAMECRYPTmap 10
set transform-set NAMECRYPTset
match address 115
I removed the reverse route, and also removed "
match address 115" as neither is needed in this scenario
I think this will be what I am needing, but still curious as to why the RR appears to drop packets> I don;t need it now because I will not be advertising those routes, but still wondering.