Table of contents
Features
IPSEC reverse route injection, that is, Reverse Route Injection, is generally used in the headquarters router in the IPSEC VPN branch office. Through this function, when the IPSEC negotiation between the branch and the headquarters router is successful, the headquarters router will automatically inject the branch's network segment into the routing table, so that the headquarters can correctly forward data to the corresponding branch.
The implementation principle of the IPSEC reverse route injection function: When the IPSEC negotiation between the branch and the headquarters is successful, the headquarters router will learn the network segment information of the branch by checking the ipsec sa interest flow that has been successfully negotiated with the branch, and at the same time, it will The segment information is added to the routing table, and the next hop is the IP of the branch.
For example, the IPSEC interest flow of branch 1 is: branch network segment 192.168.1.0/24 -> headquarters network segment 192.168.0.0/24. After successful negotiation with the headquarters, the IPSEC interest flow of the branch for the headquarters router is: : Headquarters network segment 192.168.0.0/24 --> Branch 192.168.1.0/24; From the flow of interest, we can learn that the network segment that the branch needs to communicate with the headquarters is "192.168.1.0/24". At this time, the headquarters router passes The reverse route injection function puts the 192.168.1.0/24 network segment into the routing table, and the next hop is the IP address of branch 1.
1. Networking requirements
Use the IPSEC reverse route injection function to dynamically inject branch routing information on the headquarters router to achieve normal communication between the headquarters and branches.
2. Network topology
3. Configuration points
1. Configure basic IPSEC functions
2. Configure the reverse route injection function on the headquarters router
3. Republish the reverse injected route to the dynamic routing protocol (optional, take OSPF as an example)
4. Configuration steps
1. Configure basic IPSEC functions
According to the on-site environment and customer needs, select the appropriate IPSEC deployment solution. For detailed configuration, refer to the IPSEC " Basic Configuration " chapter (Typical Configuration--->Security--->IPSEC--->Basic Configuration)
2. Configure the reverse route injection function on the headquarters router
crypto dynamic-map dymymap 5
reverse-route //Configure the reverse route injection function
Notice:
- The routes injected through this function have a default administrative distance of 1 and a weight of XXX, the same as static routes. The administrative distance and metric value of injected routes can be modified through extended parameters, and the injected routes can also be marked.
- You can use the remote-peer parameter to specify that reverse route injection is only performed on a specific peer.
- The routes injected through this function can be linked with BFD or TRACK.
Ruijie(config-crypto-map)#reverse-route ?
<1-255> Distance
bfdConfigure bfd
remote-peer Match address of packets to encrypt
tagSet tag for this route
trackInstall route depending on tracked item
weight Route weight
<cr>
3. Republish the reverse injected route to the dynamic routing protocol (optional, take OSPF as an example)
router ospf 1
redistribute static subnets
5. Configuration verification
1. After branch 1 successfully negotiates ipsec with the headquarters, you can see on the headquarters router that a route pointing to the branch is dynamically generated:
Ruijie(config)#show ip route
Codes: C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default
Gateway of last resort is no set
C 10.0.0.0/24 is directly connected, GigabitEthernet 0/0
C 10.0.0.1/32 is local host.
C 192.168.0.0/24 is directly connected, Loopback 0
C 192.168.0.1/32 is local host.
S 192.168.1.0/24 [1/0] via 10.0.0.2 //After the IPSEC VPN of branch 1 is successfully dialed, the headquarters passes the reverse injected route. Note that if the next hop address of the static route is reached through the default route, the reverse route cannot be injected because the default route cannot be used for recursion.
2. Clear the corresponding ipsec sa on branch 1. At this time, the corresponding routing entry on the headquarters router disappears:
center#show ip route
Codes: C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default
Gateway of last resort is no set
C 10.0.0.0/24 is directly connected, GigabitEthernet 0/0
C 10.0.0.1/32 is local host.
C 192.168.0.0/24 is directly connected, Loopback 0
C 192.168.0.1/32 is local host.