R0106-HP MSR Router Series Security Configuration Guide(V7)

249

Figure 77 IPsec VPN

IPsec Reverse Route Injection (RRI) enables an IPsec tunnel gateway to automatically add static routes

destined for protected private networks or static routes destined for peer IPsec tunnel gateways to a

routing table. As shown in Figure 77, y

ou can enable IPsec RRI on the gateway at the enterprise center.

After an IPsec tunnel is established, the gateway automatically adds a static route to the routing table,

which can be looked up. The destination IP address is the protected private network, and the next hop is

the remote IP address of the IPsec tunnel. The traffic destined for the peer end is routed to the IPsec tunnel

interface and thereby protected by IPsec.

You can advertise the static routes created by IPsec RRI in the internal network, and the internal network

device can use them to forward traffic in the IPsec VPN.

In an MPLS L3VPN network, IPsec RRI can add static routes to VPN instances' routing tables.

IPsec RRI is applicable to gateways that must provide many IPsec tunnels (for example, a headquarters

gateway).

Protocols and standards

• RFC 2401, Security Architecture for the Internet Protocol

• RFC 2402, IP Authentication Header

• RFC 2406, IP Encapsulating Security Payload

• RFC 4552, Authentication/Confidentiality for OSPFv3

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,

commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about

FIPS mode, see "Configuring FIPS."

Security strength

By default, the device provides low encryption. To obtain high encryption, you must install the Strong

Cryptography feature license. This feature provides stronger cryptography, additional IPsec tunnels, and