Configuring reverse route injection on the firewall

0

Configuring IPSec reverse route injection (RRI) on the USG
1. Configuring IPSec reverse route injection
Run the reverse-route enable [ nexthop nexthop-address | preference preference ] command in the IPSec policy template view.
2. Note:
If the headquarters needs to establish tunnels with multiple branches, you can configure the RRI function on the headquarters gateway to automatically add the routing information of the branches to the headquarters gateway. The function is similar to configuring a static route to each branch with the next hop being the IP address of the tunnel interface connected to the branch. In tunneling link backup, this configuration is equivalent to specifying the outgoing interface as the tunnel interface.
Static routes are required to direct the traffic to the IPSec tunnels between the headquarters and branches. RRI saves the efforts in manual configuration and maintenance of static routes.
3. Configuration examples
system-view //Access the system view.
[sysname] ipsec policy-template abc 1 //Access the IPSec policy template view.
[sysname-ipsec-policy-template-abc-1] reverse-route enable //Enable the RRI function.

Other related questions:
Configuring reverse route injection on the firewall
Configuring IPSec reverse route injection (RRI) on the USG 1. Configuring IPSec reverse route injection Run the reverse-route enable [ nexthop nexthop-address | preference preference ] command in the IPSec policy template view. 2. Note: If the headquarters needs to establish tunnels with multiple branches, you can configure the RRI function on the headquarters gateway to automatically add the routing information of the branches to the headquarters gateway. The function is similar to configuring a static route to each branch with the next hop being the IP address of the tunnel interface connected to the branch. In tunneling link backup, this configuration is equivalent to specifying the outgoing interface as the tunnel interface. Static routes are required to direct the traffic to the IPSec tunnels between the headquarters and branches. RRI saves the efforts in manual configuration and maintenance of static routes. 3. Configuration examples system-view //Access the system view. [sysname] ipsec policy-template abc 1 //Access the IPSec policy template view. [sysname-ipsec-policy-template-abc-1] reverse-route enable //Enable the RRI function.

Method used to configure reverse route injection on USG firewalls
Method used to configure IPSec reverse route injection on USG firewalls 1. Method used to configure IPSec reverse route injection In the IPSec policy template view, run the reverse-route enable [ nexthop nexthop-address | preference preference ] command. 2. Note: When multiple tunnels are established between the HQ network and branch networks, the reverse route injection function can be configured for the HQ gateway, so that routing information of the branch networks is automatically added to the HQ gateway. This function is equivalent to an intranet static route destined for the branch intranet, with the next hop address set to the interface IP address of the branch tunnel. In IPSec tunneling mode, this function is equivalent to specifying the outbound interface as the tunnel interface. Each branch network accesses the HQ gateway over the IPSec tunnel. Communication traffic between the branch network and the HQ network is protected by IPSec. Therefore, static routes must to be configured for the branch gateways and the HQ gateway to lead the traffic to the IPSec tunnel. When a large number of branch networks exist, a large number of static router entries are configured on the HQ gateway. If the intranet planning of the enterprise is changed, the workload for adjusting the static route configuration on the HQ gateway is huge. The reverse route injection function can inject routing information of private network segments of each branch network to the HQ gateway, and therefore achieving automatic route adding and being free from manual configuration. 3. Configuration example: system-view //Enter the system view. [sysname] ipsec policy-template abc 1 //Enter the IPSec policy template view. [sysname-ipsec-policy-template-abc-1] reverse-route enable //Enable the reverse route injection function.

How to obtain the route of the branch private network when the AR is configured with IPSec and the headquarters provides egress of multiple egresses
When the headquarters connects to multiple branches, consider route selection. You need to obtain the private network routes of branches. Static routes can be configured. However, the static route configuration is complex when there are many branches. When a branch is added each time, a static route needs to be added on the headquarters network, which is inconvenient for maintenance.
On the headquarters, you can run the route inject command to configure route injection, which can be static or dynamic.  
-  When static route injection is enabled, the route generated through the route injection function is added to the local device and the route status does not vary with the tunnel status change. 
-  When dynamic route injection is enabled, the route generated through the route injection function can be added to the local device if the IPSec tunnel is Up, and the route is deleted if the IPSec tunnel is Down.
Compared with static route injection, dynamic route injection associates the generated route with the IPSec tunnel status. When the IPSec tunnel is Down, the AR does not send traffic to the remote end through the IPSec tunnel, preventing traffic loss.

Set the priority of a route generated through dynamic route injection to 10.
<Huawei> system-view 
[Huawei] ipsec policy policy1 10 isakmp 
[Huawei-ipsec-policy-isakmp-policy1-10] route inject dynamic preference 10

 

Default routes of firewalls
Default routes are special routes. Generally, administrators can manually configure default static routes. Default routes can also be generated through dynamic routing protocols, such as OSPF and IS-IS. Default routes are described as follows: To put it in a simple way, default routes are used only when packets to be forwarded do not match any routing entry in a routing table. In a routing table, a default route is the route to network 0.0.0.0 (with the mask 0.0.0.0). You can run the display ip routing-table command to check whether a default route is configured. If the destination address of a packet does not match any entry in the routing table, the packet is sent through a default route. If no default route exists and the destination address of the packet does not match any entry in the routing table, the packet is discarded. An Internet Control Message Protocol (ICMP) packet is then sent, informing the originating host that the destination host or network is unreachable.

Forward and reverse working routes of 2 Mbit/s services
Forward and reverse routes are the service routes of non-protection links and multiplex sections (MSs). Forward and reverse working routes are the routes of channel rings.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top