R3721-F3210-F3171-HP High-End Firewalls VPN Command Reference-6PW101
95
View
IPsec policy view, IPsec policy template view
Default level
2: System level
Parameters
static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the
ACL that the IPsec policy references. This keyword is available only in IPsec policy view. If this keyword
is not specified, you enable dynamic IPsec RRI, which creates static routes based on IPsec SAs.
remote-peer ip-address: Specifies a next hop for the static routes. To use the static routes for route backup
and load balancing, specify this option.
gateway: Creates two recursive routes: one to the remote tunnel endpoint and the other to the protected
remote private network. Use the gateway keyword in an IKE-enabled IPsec policy to define an explicit
default forwarding path for IPsec traffic.
Description
Use reverse-route to enable and configure the IPsec Reverse Route Inject (RRI) feature.
Use undo reverse-route to disable IPsec RRI.
By default, IPsec RRI is disabled.
IPsec RRI works in static mode or dynamic mode:
• Static IPsec RRI creates one static route for each destination address permitted by the ACL that the
IPsec policy references. Static IPsec RRI creates static routes immediately after you configure IPsec
RRI for an IPsec policy and apply the IPsec policy. When you disable RRI, or remove the ACL or the
peer gateway IP address from the policy, IPsec RRI deletes all static routes it has created. The static
mode applies to scenarios where the topologies of branch networks seldom change.
• Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. Dynamic IPsec RRI creates
static routes when the IPsec SAs are established, and deletes the static routes when the IPsec SAs are
deleted. The dynamic mode applies to scenarios where the topologies of branch networks change
frequently.
The destination and next hop address in a static route created by IPsec RRI depend on your settings.
See Table 25.
Table 25 Possible IPsec
RRI configurations and the generated routing information
Command IPsec RRI mode
Route destination Next hop address
reverse-route
static
Static
Destination IP address
specified in a permit rule of the
ACL that is referenced by the
IPsec policy
• Manual IPsec policy: Peer tunnel
address set with the tunnel
remote command
• IPsec policy that uses IKE: The
remote tunnel endpoint, which is
the address configured in the
remote-address command in
IKE view.
reverse-route
remote-peer
ip-address static
Address identified by the ip-address
argument