R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
166
Item Descri
p
tion
Reverse Route
Injection
Enable or disable IPsec RRI. When enabling IPsec RRI, you can specify a next hop and
change the preference of the static routes.
After an outbound IPsec SA is created, IPsec RRI automatically creates a static route to the
peer private network. You do not have to manually configure the static route.
IMPORTANT:
• If you enable IPsec RRI and do not configure the static route, the SA negotiation must
be initiated by the remote gateways.
• IPsec RRI creates static routes when IPsec SAs are set up, and delete the static routes
when the IPsec SAs are deleted.
• To view the static routes created by IPsec RRI, select Network > Routing
Management > Routing Info from the navigation tree.
Next Hop
Specify a next hop for the static routes.
If you do not specify any next hop, the remote tunnel endpoint's address learned during
IPsec SA negotiation is used.
Priority
Change the preference of the static routes.
Change the route preference for equal-cost multipath (ECMP) routing or route backup. If
multiple routes to the same destination have the same preference, traffic is balanced
among them. If multiple routes to the same destination have different preference values,
the route with the highest preference forwards traffic and all other routes are backup
routes.
Applying an IPsec policy group
1. Select VPN > IPSec > IPSec Application from the navigation tree to enter the IPsec policy
application configuration page.
Figure 116 IPsec policy application
2. Click the icon for an interface.
3. Select an IPsec policy for the interface.
4. Click Apply.