Figure 41 IPsec VPN
IPsec Reverse Route Inject (RRI) enables an IPsec tunnel gateway to automatically add static routes
destined for protected private networks or peer IPsec tunnel gateways to a routing table. As shown
in
Figure
41, you can enable IPsec RRI on the gateway at the enterprise center. After an IPsec tunnel is
established, the gateway automatically adds a static route to the routing table, which can be queried as
other routing entries. The destination IP address is the protected private network, and the next hop is the
remote IP address of the IPsec tunnel. In this way, the traffic destined for the peer end is routed to the IPsec
tunnel interface and thereby protected by IPsec.
You can advertise the static routes created by IPsec RRI in the internal network, and the internal network
device can use them to forward traffic in the IPsec VPN.
In an MPLS L3VPN network, IPsec RRI can add static routes to VPN instances' routing tables.
IPsec RRI is applicable to gateways, for example, a headquarters gateway that must provide many IPsec
tunnels. It frees you from the tedious work of manually configuring and maintaining static routes for IPsec
tunnels.
Protocols and standards
RFC 2401, Security Architecture for the Internet Protocol
•
•
RFC 2402, IP Authentication Header
RFC 2406, IP Encapsulating Security Payload
•
RFC 4552, Authentication/Confidentiality for OSPFv3
•
IPsec tunnel establishment
CAUTION:
Typically, IKE uses UDP port 500 for communication, and AH and ESP use the protocol numbers 51 and
50, respectively. Make sure traffic of these protocols is not denied on the interfaces with IKE or IPsec
configured.
141