Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
101102103104105106107108109110
96
Command IPsec RRI mode
Route destination Next hop address
reverse-route
Dynamic
Protected peer private network
Remote tunnel endpoint
reverse-route
remote-peer
ip-address
Address identified by the ip-address
argument, typically, the next hop
address of the interface where the
IPsec policy is applied
reverse-route
remote-peer
ip-address
gateway
Protected peer private network
Remote tunnel endpoint
Remote tunnel endpoint
The address specified by the
ip-address argument (outgoing
interface: the interface where the
IPsec policy is applied)
Enabling, disabling, or changing RRI settings in an IPsec policy deletes all IPsec SAs created or
negotiated by the policy.
To view static routes created by RRI, use the display ip routing-table command. For information about the
routing table, see Network Management Configuration Guide.
If you configure an address range in IKE peer view, static IPsec RRI does not take effect.
Related commands: reverse-route preference and reverse-route tag.
Examples
# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network
3.0.0.0/24 as the destination and the remote gateway 1.1.1.2 as the next hop.
<Sysname> system-view
[Sysname] ike peer 1
[Sysname-ike-peer-1] remote-address 1.1.1.2
[Sysname-ike-peer-1] quit
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 permit ip source 2.0.0.0 0.0.0.255 destination 3.0.0.0
0.0.0.255
[Sysname-acl-adv-3000] quit
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] security acl 3000
[Sysname-ipsec-policy-isakmp-1-1] ike-peer 1
[Sysname-ipsec-policy-isakmp-1-1] reverse-route static
[Sysname-ipsec-policy-isakmp-1-1] quit
[Sysname] interface GigabitEthernet 0/1
[Sysname-GigabitEthernet0/1] ipsec policy 1
[Sysname-GigabitEthernet0/1]quit
# Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not
shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.2 GE0/1
# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network as
the destination and 1.1.1.3 as the next hop.