R3303-HP HSR6800 Routers Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

311

312

313

314

315

316

317

318

319

320

303

Table 45 Possible IPsec RRI configurations and the generated routing information

Command

IPsec RRI

mode

Route destination Next hop address

reverse-route static Static

Destination IP address

specified in a permit rule of

the ACL that is referenced by

the IPsec policy

• Manual IPsec policy: Peer tunnel

address set with the tunnel remote

command.

• IPsec policy that uses IKE: The remote

tunnel endpoint, which is the address

configured in the remote-address

command in IKE view.

reverse-route

remote-peer

ip-address static

Static

Destination IP address

specified in a permit rule of

the ACL that is referenced by

the IPsec policy

Address identified by the ip-address

argument.

reverse-route Dynamic

Protected peer private

network

Remote tunnel endpoint.

reverse-route

remote-peer

ip-address

Dynamic

Protected peer private

network

Address identified by the ip-address

argument, typically, the next hop

address of the interface where the IPsec

policy is applied.

reverse-route

remote-peer

ip-address gateway

Dynamic

• Protected peer private

network

• Remote tunnel endpoint

• For the route destined for the

protected peer private network, the

next hop is the remote tunnel

endpoint.

• For the route destined for the remote

tunnel endpoint, the next hop address

is the address specified by the

ip-address argument (outgoing

interface: the interface where the

IPsec policy is applied).

Enabling, disabling, or changing RRI settings in an IPsec policy deletes all IPsec SAs created or

negotiated by the policy.

To view static routes created by RRI, use the display ip routing-table command. For information about the

routing table, see Layer 3—IP Routing Configuration Guide.

If you configure an address range in IKE peer view, static IPsec RRI does not take effect.

Examples

# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network

3.0.0.0/24 as the destination and the remote gateway 1.1.1.2 as the next hop.

<Sysname> system-view

[Sysname] ike peer 1

[Sysname-ike-peer-1] remote-address 1.1.1.2

[Sysname-ike-peer-1] quit

[Sysname] acl number 3000

[Sysname-acl-adv-3000] rule 0 permit ip source 2.0.0.0 0.0.0.255 destination 3.0.0.0

0.0.0.255

[Sysname-acl-adv-3000] quit

[Sysname] ipsec policy 1 1 isakmp