Figure 52 IPsec VPN
IPsec Reverse Route Injection (RRI) enables an IPsec tunnel gateway to automatically add static routes
destined for protected private networks or static routes destined for peer IPsec tunnel gateways to a
routing table. As shown in
After an IPsec tunnel is established, the gateway automatically adds a static route to the routing table,
which can be looked up. The destination IP address is the protected private network, and the next hop is
the remote IP address of the IPsec tunnel. The traffic destined for the peer end is routed to the IPsec tunnel
interface and thereby protected by IPsec.
You can advertise the static routes created by IPsec RRI in the internal network, and the internal network
device can use them to forward traffic in the IPsec VPN.
IPsec RRI is applicable to gateways that must provide many IPsec tunnels (for example, a headquarters
gateway).
Protocols and standards
•
RFC 2401, Security Architecture for the Internet Protocol
RFC 2402, IP Authentication Header
•
RFC 2406, IP Encapsulating Security Payload
•
RFC 4552, Authentication/Confidentiality for OSPFv3
•
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see
Figure
52, you can enable IPsec RRI on the gateway at the enterprise center.
175
"Configuring
FIPS") and non-FIPS mode.