Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
670
Views
0
Helpful
1
Replies

Why no implicit route for L2L IPSec tunnel traffic?

Go to solution
pnicolette
Level 1
Level 1

‎01-10-2010 02:07 PM - edited ‎02-21-2020 04:26 PM

In a hub-and-spoke IPSec environment, it's not hard to set up routing from spoke to hub.

But on the hub end of a tunnel, where lives the gateway of last resort for traffic from the spoke, it seems almost counter-intuitive that the crypto ACL and peer statements don't implicitly create a route for traffic from the hub into the tunnel to the far end (spoke).  It could always be overridden with a static if necessary.

There's probably a good reason for this, but I can't think of it.  Or am I the only person who thinks it odd...or perhaps a feature opportunity?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Laurent Aubert
Cisco Employee
Cisco Employee

‎01-11-2010 07:26 PM

Hi,

This feature exist and is called reverse-route injection. The route is dynamically created (based on the crypto ACL) and is available only when the SA is up.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_rrie.html

HTH

Laurent.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Laurent Aubert
Cisco Employee
Cisco Employee

‎01-11-2010 07:26 PM

Hi,

This feature exist and is called reverse-route injection. The route is dynamically created (based on the crypto ACL) and is available only when the SA is up.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_rrie.html

HTH

Laurent.

0 Helpful
Customers Also Viewed These Support Documents