How to obtain the route of the branch private network when the AR is configured with IPSec and the headquarters provides egress of multiple egresses

2

When the headquarters connects to multiple branches, consider route selection. You need to obtain the private network routes of branches. Static routes can be configured. However, the static route configuration is complex when there are many branches. When a branch is added each time, a static route needs to be added on the headquarters network, which is inconvenient for maintenance.
On the headquarters, you can run the route inject command to configure route injection, which can be static or dynamic.  
-  When static route injection is enabled, the route generated through the route injection function is added to the local device and the route status does not vary with the tunnel status change. 
-  When dynamic route injection is enabled, the route generated through the route injection function can be added to the local device if the IPSec tunnel is Up, and the route is deleted if the IPSec tunnel is Down.
Compared with static route injection, dynamic route injection associates the generated route with the IPSec tunnel status. When the IPSec tunnel is Down, the AR does not send traffic to the remote end through the IPSec tunnel, preventing traffic loss.

Set the priority of a route generated through dynamic route injection to 10.
<Huawei> system-view 
[Huawei] ipsec policy policy1 10 isakmp 
[Huawei-ipsec-policy-isakmp-policy1-10] route inject dynamic preference 10

 

Other related questions:
Method used to configure IPSec between the headquarters and branches on the AR
Huawei AR routers support IPSec tunnel for implementing interconnection between the headquarters and branches. For details about the configuration, see IPSec under "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples. The point-to-multipoint IPSec cases are as follows: - Example for Establishing Multiple IPSec Tunnels Between the Headquarters and Branches Using the IPSec Policy Template - Example for Configuring OSPF and GRE Over IPSec to Implement Communication Between the Branch and Headquarters - Example for Configuring GRE Over IPSec to Implement Communication Between the Branches and Headquarters and NAT to Implement Communication Between Branches (Running OSPF) - Example for Establishing IPSec over DSVPN Tunnels Between Hub and Spokes (Based on ACL) - Example for Establishing an IPSec Tunnel In Manual and IKE Negotiation Modes - Example for Configuring IPSec Reverse Route Injection

When multiple branches connect to the headquarters, L2TP services are unavailable because private routes are incorrectly configured
The next hop in the static route from the LNS to the branch is incorrect. As a result, packets fail to be forwarded. Two solutions are available: 1. Configure a static route for each branch on the LNS. You need to obtain the address of the virtual template interface of a branch, and then configure a route. Because the address obtained by the virtual template interface may change, the maintenance workload is heavy. 2. Configure a dynamic routing protocol on the LNS and LAC to advertise private network segments and virtual template interface addresses and to learn the private network route to the remote end. When adding a branch, you only need to perform configurations on the LAC. The configuration does not need to be changed regardless of whether the IP address of the virtual template interface on the LAC changes. The maintenance workload is greatly reduced.

Method used to establish an IPSec tunnel through NAT traversal
Huawei AR routers support an IPSec tunnel through NAT traversal. For details about the configuration, see "Example for Establishing an IPSec Tunnel that Traverses NAT Devices" of "Using VPN to Implement WAN Interconnection" in Typical Configuration Examples.

Method used to configure two egresses for backup on the AR
Huawei AR routers can establish IPSec tunnels with remote devices using two egress links in backup or load balancing mode. There is no difference on the configuration between different models and versions. For details about the configuration, see "Example for Establishing an IPSec Tunnel Between the Enterprise Headquarters and Branch Using a Multi-Link Shared IPSec Policy Group" of "IPSec Configuration" in based Configuration Guide - VPN .

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top