Method used to configure reverse route injection on USG firewalls

13

Method used to configure IPSec reverse route injection on USG firewalls
1. Method used to configure IPSec reverse route injection
In the IPSec policy template view, run the reverse-route enable [ nexthop nexthop-address | preference preference ] command.
2. Note:
When multiple tunnels are established between the HQ network and branch networks, the reverse route injection function can be configured for the HQ gateway, so that routing information of the branch networks is automatically added to the HQ gateway. This function is equivalent to an intranet static route destined for the branch intranet, with the next hop address set to the interface IP address of the branch tunnel. In IPSec tunneling mode, this function is equivalent to specifying the outbound interface as the tunnel interface.
Each branch network accesses the HQ gateway over the IPSec tunnel. Communication traffic between the branch network and the HQ network is protected by IPSec. Therefore, static routes must to be configured for the branch gateways and the HQ gateway to lead the traffic to the IPSec tunnel. When a large number of branch networks exist, a large number of static router entries are configured on the HQ gateway. If the intranet planning of the enterprise is changed, the workload for adjusting the static route configuration on the HQ gateway is huge. The reverse route injection function can inject routing information of private network segments of each branch network to the HQ gateway, and therefore achieving automatic route adding and being free from manual configuration.
3. Configuration example:
system-view //Enter the system view.
[sysname] ipsec policy-template abc 1 //Enter the IPSec policy template view.
[sysname-ipsec-policy-template-abc-1] reverse-route enable //Enable the reverse route injection function.

Other related questions:
Configuring reverse route injection on the firewall
Configuring IPSec reverse route injection (RRI) on the USG 1. Configuring IPSec reverse route injection Run the reverse-route enable [ nexthop nexthop-address | preference preference ] command in the IPSec policy template view. 2. Note: If the headquarters needs to establish tunnels with multiple branches, you can configure the RRI function on the headquarters gateway to automatically add the routing information of the branches to the headquarters gateway. The function is similar to configuring a static route to each branch with the next hop being the IP address of the tunnel interface connected to the branch. In tunneling link backup, this configuration is equivalent to specifying the outgoing interface as the tunnel interface. Static routes are required to direct the traffic to the IPSec tunnels between the headquarters and branches. RRI saves the efforts in manual configuration and maintenance of static routes. 3. Configuration examples system-view //Access the system view. [sysname] ipsec policy-template abc 1 //Access the IPSec policy template view. [sysname-ipsec-policy-template-abc-1] reverse-route enable //Enable the RRI function.

Method used to configure the routing policy on USG firewalls
The method used to configure the routing policy on USG2000, USG5000, and USG6000 is as follows: 1. Create a routing policy. 2. Configure the If-match sub-sentence. 3. Configure the Apply sub-sentence. 4. Filter the routes upon receiving, publishing, and introducing routes.

Method used to configure the static route on USG firewalls
The method used to configure the static route on USG firewalls is as follows: For example: ip route-static 1.1.1.0 255.255.255.0 1.1.5.1 //ip rout-static indicates the static route, 1.1.1.0 indicates the destination address, 255.255.255.0 indicates the mask, and 1.1.5.1 indicates the next-hop address.

Method used to configure the router-on-a-stick on USG firewalls

The router-on-a-stick can address the limited physical interface resources issue. By configuring multiple subinterfaces, corresponding to different VLANs, for a physical interface, a physical interface can enable different VLANs to communicate with each other. For example, you can configure the router-on-a-stick on the USG2000, USG5000, and USG6000 as follows: [USG] interface GigabitEthernet1/0/3.1//Configure subinterface 1. [USG-GigabitEthernet1/0/3.1] vlan-type dot1q 10//Terminate VLAN 10. [USG-GigabitEthernet1/0/3.1] ip address 10.3.1.1 255.255.255.0//Configure the IP address for the subinterface. [USG-GigabitEthernet1/0/3.1] quit [USG] interface GigabitEthernet1/0/3.2//Configure subinterface 2. [USG-GigabitEthernet1/0/3.2] vlan-type dot1q 20//Terminate VLAN 20. [USG-GigabitEthernet1/0/3.2] ip address 10.3.1.1 255.255.255.0//Configure the IP address for the subinterface.


Method used to modify the cost value of the static route on USG firewalls
The cost value of the static route on the USG2000, USG5000, and USG6000 cannot be changed. By default, it is 0.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top