HP VPN Firewall Appliances VPN Command Reference

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

100

gateway: Creates two recursive routes: one to the remote tunnel endpoint and the other to the protected

remote private network. Use the gateway keyword in an IKE-enabled IPsec policy to define an explicit

default forwarding path for IPsec traffic.

Usage guidelines

IPsec RRI operates in static mode or dynamic mode:

• Static IPsec RRI creates one static route for each destination address permitted by the ACL that the

IPsec policy references. Static IPsec RRI creates static routes immediately after you configure IPsec

RRI for an IPsec policy and apply the IPsec policy. When you disable RRI, or remove the ACL or the

peer gateway IP address from the policy, IPsec RRI deletes all static routes it has created. The static

mode applies to scenarios where the topologies of branch networks seldom change.

• Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. Dynamic IPsec RRI creates

static routes when the IPsec SAs are established, and deletes the static routes when the IPsec SAs are

deleted. The dynamic mode applies to scenarios where the topologies of branch networks change

frequently.

The destination and next hop address in a static route created by IPsec RRI depend on your settings.

See Table 21.

Table 21 Possible IPsec

RRI configurations and the generated routing informatio

Command

IPsec RRI

mode

Route destination Next hop address

reverse-route static

Static

Destination IP address

specified in a permit rule of

the ACL that is referenced by

the IPsec policy

• Manual IPsec policy: Peer tunnel

address set with the tunnel remote

command.

• IPsec policy that uses IKE: The remote

tunnel endpoint, which is the address

configured in the remote-address

command in IKE view.

reverse-route

remote-peer

ip-address static

Static

Destination IP address

specified in a permit rule of

the ACL that is referenced by

the IPsec policy

Address identified by the ip-address

argument.

reverse-route Dynamic

Protected peer private

network

Remote tunnel endpoint.

reverse-route

remote-peer

ip-address

Dynamic

Protected peer private

network

Address identified by the ip-address

argument, typically, the next hop

address of the interface where the IPsec

policy is applied.

reverse-route

remote-peer

ip-address gateway

Dynamic

• Protected peer private

network

• Remote tunnel endpoint

• For the route destined for the

protected peer private network, the

next hop is the remote tunnel

endpoint.

• For the route destined for the remote

tunnel endpoint, the next hop address

is the address specified by the

ip-address argument (outgoing

interface: the interface where the

IPsec policy is applied).