Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Command Reference-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
101102103104105106107108109110
97
peer gateway IP address from the policy, IPsec RRI deletes all static routes it has created. The static
mode applies to scenarios where the topologies of branch networks seldom change.
Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. Dynamic IPsec RRI creates
static routes when the IPsec SAs are established, and deletes the static routes when the IPsec SAs are
deleted. The dynamic mode applies to scenarios where the topologies of branch networks change
frequently.
The destination and next hop address in a static route created by IPsec RRI depend on your settings.
See Table 21.
Table 21 Possible IPsec
RRI configurations and the generated routing information
Command
IPsec RRI
mode
Route destination Next hop address
reverse-route static Static
Destination IP address
specified in a permit rule of
the ACL that is referenced by
the IPsec policy
Manual IPsec policy: Peer tunnel
address set with the tunnel remote
command.
IPsec policy that uses IKE: The remote
tunnel endpoint, which is the address
configured in the remote-address
command in IKE view.
reverse-route
remote-peer
ip-address static
Static
Destination IP address
specified in a permit rule of
the ACL that is referenced by
the IPsec policy
Address identified by the ip-address
argument.
reverse-route Dynamic
Protected peer private
network
Remote tunnel endpoint.
reverse-route
remote-peer
ip-address
Dynamic
Protected peer private
network
Address identified by the ip-address
argument, typically, the next hop
address of the interface where the IPsec
policy is applied.
reverse-route
remote-peer
ip-address gateway
Dynamic
Protected peer private
network
Remote tunnel endpoint
For the route destined for the
protected peer private network, the
next hop is the remote tunnel
endpoint.
For the route destined for the remote
tunnel endpoint, the next hop address
is the address specified by the
ip-address argument (outgoing
interface: the interface where the
IPsec policy is applied).
Enabling, disabling, or changing RRI settings in an IPsec policy deletes all IPsec SAs created or
negotiated by the policy.
To view static routes created by RRI, use the display ip routing-table command. For information about the
routing table, see Network Management Configuration Guide.
If you configure an address range in IKE peer view, static IPsec RRI does not take effect.
Examples
# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network
3.0.0.0/24 as the destination and the remote gateway 1.1.1.2 as the next hop.
<Sysname> system-view