Manualshelf

R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router
231232233234235236237238239240
224
Command
IPsec RRI
mode
Route destination Next hop address
reverse-route
remote-peer
ip-address gateway
Dynamic
Protected peer private
network
Remote tunnel endpoint
For the route destined for the
protected peer private network, the
next hop is the remote tunnel
endpoint.
For the route destined for the remote
tunnel endpoint, the next hop address
is the address specified by the
ip-address argument (outgoing
interface: the interface where the
IPsec policy is applied).
Enabling, disabling, or changing RRI settings in an IPsec policy deletes all IPsec SAs created or
negotiated by the policy.
To view static routes created by RRI, use the display ip routing-table command. For information about the
routing table, see Layer 3—IP Routing Configuration Guide.
If you configure an address range in IKE peer view, static IPsec RRI does not take effect.
Examples
# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network
3.0.0.0/24 as the destination and the remote gateway 1.1.1.2 as the next hop.
<Sysname> system-view
[Sysname] ike peer 1
[Sysname-ike-peer-1] remote-address 1.1.1.2
[Sysname-ike-peer-1] quit
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 permit ip source 2.0.0.0 0.0.0.255 destination 3.0.0.0
0.0.0.255
[Sysname-acl-adv-3000] quit
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] security acl 3000
[Sysname-ipsec-policy-isakmp-1-1] transform-set tran1
[Sysname-ipsec-policy-isakmp-1-1] ike-peer 1
[Sysname-ipsec-policy-isakmp-1-1] reverse-route static
[Sysname-ipsec-policy-isakmp-1-1] quit
[Sysname] interface ethernet 1/1
[Sysname-Ethernet1/1] ipsec policy 1
[Sysname-Ethernet1/1]quit
# Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not
shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.2 Eth1/1
# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network as
the destination and 1.1.1.3 as the next hop.
[Sysname] ipsec policy 1 1 isakmp