The route inject command configures route injection.
The undo route inject command cancels the configuration.
By default, route injection is not configured.
route inject nexthop { ipv4-address | ipv6-address | auto }
route inject { static | dynamic } [ preference preference ]
undo route inject [ nexthop ]
| Parameter | Description | Value |
|---|---|---|
| nexthop ipv4-address | Specifies the next-hop IPv4 address to the remote end. | The value is in dotted decimal notation. |
| nexthop ipv6-address | Specifies the next-hop IPv6 address to the remote end. | The value is in colon hexadecimal notation. |
| auto | Specifies the next hop of the optimal route as the next-hop IP address to the remote end when the device searches its IP routing table for routes of packets based on packets' destination addresses. |
- |
| static | Enables static route injection. The parameter is only available in the ISAKMP IPSec policy view. |
- |
| dynamic | Enables dynamic route injection. |
- |
| preference preference | Specifies the priority of a static route generated through route injection. |
The value is an integer that ranges from 1 to 255. The default value is 70. |
Usage Scenario
When an enterprise headquarters and its branch establish an IPSec tunnel, a static route to the branch subnet needs to be configured on the headquarters gateway. If there are many branch subnets, a large number of static routes need to be configured on the headquarters gateway. When branch subnets change, the static route configuration needs to be modified on the headquarters gateway, causing a difficulty in network maintenance. Route injection injects routes to branch subnets to the headquarters gateway based on IPSec tunnel information, which reduces manual configuration and improves configuration correctness. Route injection can also inject routes to headquarters subnets to the branch gateway based on IPSec tunnel information, implementing association between IPSec tunnel subnet information and routes.
Route injection works in two modes:
Dynamic mode: If the IPSec tunnel is Up, the generated static route can be added to the local device. If the IPSec tunnel is Down, the generated static route can be deleted from the local device.
Compared with static route injection, dynamic route injection is relevant to the IPSec tunnel status. Dynamic route injection prevents IPSec peers from sending IPSec packets over the IPSec tunnel in Down state, reducing packet loss.
You can configure a priority for the static route generated through route injection. For example, when there is another route to the same destination as the static route, specify the same priority for the routes so that traffic can be load balanced. If different priorities are specified for the routes, the routes can back up each other.
If the destination address of an IPSec-protected data flow is the same as the IPSec tunnel remote address, for example, the IPSec-protected data flow from the NMS to the device, you need to run the route inject nexthop { ipv4-address | ipv6-address } command to specify the next-hop address to the remote end. However, if an IPSec interface has multiple next hops, because the route inject nexthop { ipv4-address | ipv6-address } command can specify only one next-hop IP address, you need to manually modify the configuration when the next hop changes. This mode cannot adapt to network changes. In this case, you need run the route inject nexthop auto command to configure the device to search its IP routing table for routes of packets based on packets' destination addresses and specify the next hop of the optimal route as the next-hop IP address to the remote end.
The route inject nexthop auto command applies only to this scenario.
Precautions
Only IPSec SAs established in IKE negotiation mode support the route injection function. Manually configured IPSec SAs do not support the route injection function.
The device does not support the route injection function when a Layer 2 interface is added to an IPSec policy group.
The route inject nexthop auto command is applicable only in the scenario where the destination address of IPSec-protected data flows is the same as the negotiated remote address of the IPSec tunnel and the IPSec interface has multiple next hops.
When the IP address version of the IPSec encrypted flow is consistent with that used in IKE negotiation and a next hop is specified using the route inject nexthop command, the generated route is not used for IPSec packet forwarding if the IPSec tunnel remote address is not within the destination network segment of the injected route.
If the IP address version of the IPSec encrypted flow is inconsistent with that used in IKE negotiation, a next-hop address must be specified when the route injection function is enabled, and this address version must be consistent with that of the encrypted flow.
When an IPv6 ACL is used to define IPSec-protected data flows and IPSec encryption needs to be performed on packets initiated by the local device, you need to run the route inject nexthop command to specify the IPv6 address of the next hop directly connected to the outbound interface.
# Set the priority of a static route generated through route injection to 10 and set the next-hop IP address of the IKE peer to 10.1.1.1.
<sysname> system-view [sysname] ipsec policy policy1 10 isakmp [sysname-ipsec-policy-isakmp-policy1-10] route inject static preference 10 [sysname-ipsec-policy-isakmp-policy1-10] route inject nexthop 10.1.1.1