No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring Route Injection

(Optional) Configuring Route Injection



Only SAs established in IKE negotiation mode support the route injection function. Manually configured SAs do not support the route injection function.

The device does not support route injection function when the IPSec policy group is bound to a Layer 2 interface.

When an enterprise headquarters and its branch establish an IPSec tunnel, a static route to the branch subnet needs to be configured on the headquarters gateway. If there are many branch subnets, a large number of static routes need to be configured on the headquarters gateway. When branch subnets change, the static route configuration needs to be modified on the headquarters gateway, causing a difficulty in network maintenance. Route injection injects routes to branch subnets to the headquarters gateway based on IPSec tunnel information, which reduces manual configuration and improves configuration correctness. If a static route from the branch to the headquarters gateway does not need to be configured manually, configure route injection.

The route injection function enables a device to generate a route based on the destination network segment in the flow information of the IPSec SA established on the device. The next hop of the route is the peer address in the IPSec SA by default.

In Figure 5-28, an IPSec tunnel is established between the branch gateway and headquarters gateway. The host a1 indicates the branch subnet and the host b1 indicates the headquarters subnet. An ACL rule is configured on the headquarters gateway and branch gateway to enable IPSec to protect data traffic from b1 to a1 and data traffic from a1 to b1 respectively. When the route injection function is disabled, the headquarters gateway needs to ensure that the route to the branch subnet is reachable. After the route injection function is enabled on the headquarters gateway, the gateway automatically generates a routing entry with the destination IP address being the destination network segment in the flow information of the IPSec SA established by the local end and the next hop being the IPSec tunnel local IP address of the branch gateway.

Figure 5-28  Route injection

Route injection works in two modes:

  • Static mode: The generated route is added to the local device immediately, and is independent of IPSec tunnel status change.
  • Dynamic mode: If the IPSec tunnel is Up, the generated route can be added to the local device. If the IPSec tunnel is Down, the generated route can be deleted from the local device.

    Compared with static route injection, dynamic route injection is relevant to the IPSec tunnel status. Dynamic route injection prevents IPSec peers from sending IPSec packets over the IPSec tunnel in Down state, reducing packet loss.

You can configure a priority for the route generated through route injection. For example, when there is another route to the same destination as the route, specify the same priority for the routes so that traffic can be load balanced. If different priorities are specified for the routes, the routes can back up each other.


  1. Run system-view

    The system view is displayed.

  2. An IPSec policy in IKE negotiation mode or an IPSec policy template is configured.

    • Run ipsec policy policy-name seq-number isakmp

      An IPSec policy is created in IKE negotiation mode and the IPSec policy view is displayed.

    • Run ipsec policy-template template-name seq-number

      An IPSec policy template is created and the IPSec policy template view is displayed.

  3. Run route inject [ nexthop ipv4-address ] { static | dynamic } [ preference preference ]

    Route injection is enabled.

    By default, route injection is disabled.


    static is only available in the ISAKMP IPSec policy view.

    After the next hop is specified using the route inject nexthop command, the generated route is not used for IPSec packet forwarding if the IPSec tunnel remote address is not within the destination network segment of the injected route.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 152900

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next