Why no implicit route for L2L IPSec tunnel traffic?

Answered Question
Jan 10th, 2010

In a hub-and-spoke IPSec environment, it's not hard to set up routing from spoke to hub.

But on the hub end of a tunnel, where lives the gateway of last resort for traffic from the spoke, it seems almost counter-intuitive that the crypto ACL and peer statements don't implicitly create a route for traffic from the hub into the tunnel to the far end (spoke).  It could always be overridden with a static if necessary.

There's probably a good reason for this, but I can't think of it.  Or am I the only person who thinks it odd...or perhaps a feature opportunity?

I have this problem too.
0 votes
Correct Answer by Laurent Aubert about 7 years 6 days ago

Hi,

This feature exist and is called reverse-route injection. The route is dynamically created (based on the crypto ACL) and is available only when the SA is up.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_rrie.html

HTH

Laurent.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

Actions

This Discussion