Why no implicit route for L2L IPSec tunnel traffic?

Answered Question
Jan 10th, 2010

In a hub-and-spoke IPSec environment, it's not hard to set up routing from spoke to hub.

But on the hub end of a tunnel, where lives the gateway of last resort for traffic from the spoke, it seems almost counter-intuitive that the crypto ACL and peer statements don't implicitly create a route for traffic from the hub into the tunnel to the far end (spoke).  It could always be overridden with a static if necessary.

There's probably a good reason for this, but I can't think of it.  Or am I the only person who thinks it odd...or perhaps a feature opportunity?

I have this problem too.
0 votes
Correct Answer by Laurent Aubert about 7 years 6 days ago


This feature exist and is called reverse-route injection. The route is dynamically created (based on the crypto ACL) and is available only when the SA is up.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)


This Discussion