Method used to configure reverse route injection on USG firewalls

Method used to configure IPSec reverse route injection on USG firewalls
1. Method used to configure IPSec reverse route injection
In the IPSec policy template view, run the reverse-route enable [ nexthop nexthop-address | preference preference ] command.
2. Note:
When multiple tunnels are established between the HQ network and branch networks, the reverse route injection function can be configured for the HQ gateway, so that routing information of the branch networks is automatically added to the HQ gateway. This function is equivalent to an intranet static route destined for the branch intranet, with the next hop address set to the interface IP address of the branch tunnel. In IPSec tunneling mode, this function is equivalent to specifying the outbound interface as the tunnel interface.
Each branch network accesses the HQ gateway over the IPSec tunnel. Communication traffic between the branch network and the HQ network is protected by IPSec. Therefore, static routes must to be configured for the branch gateways and the HQ gateway to lead the traffic to the IPSec tunnel. When a large number of branch networks exist, a large number of static router entries are configured on the HQ gateway. If the intranet planning of the enterprise is changed, the workload for adjusting the static route configuration on the HQ gateway is huge. The reverse route injection function can inject routing information of private network segments of each branch network to the HQ gateway, and therefore achieving automatic route adding and being free from manual configuration.
3. Configuration example:
system-view //Enter the system view.
[sysname] ipsec policy-template abc 1 //Enter the IPSec policy template view.
[sysname-ipsec-policy-template-abc-1] reverse-route enable //Enable the reverse route injection function.

Scroll to top