HPE FlexNetwork HSR6800 Security Command Reference page 301

Usage guidelines
IPsec RRI operates in static mode or dynamic mode:
•
Static IPsec RRI creates one static route for each destination address permitted by the ACL that
the IPsec policy references. Static IPsec RRI creates static routes immediately after you
configure IPsec RRI for an IPsec policy and apply the IPsec policy. When you disable RRI, or
remove the ACL or the peer gateway IP address from the policy, IPsec RRI deletes all static
routes it has created. The static mode applies to scenarios where the topologies of branch
networks seldom change.
•
Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. Dynamic IPsec RRI
creates static routes when the IPsec SAs are established, and deletes the static routes when
the IPsec SAs are deleted. The dynamic mode applies to scenarios where the topologies of
branch networks change frequently.
The destination and next hop address in a static route created by IPsec RRI depend on your settings.
See Table 45.
Table 45 Possible IPsec RRI configurations and the generated routing information
Command
reverse-route static
reverse-route
remote-peer
ip-address static
reverse-route
reverse-route
remote-peer
ip-address
reverse-route
remote-peer
ip-address gateway
Enabling, disabling, or changing RRI settings in an IPsec policy deletes all IPsec SAs created or
negotiated by the policy.
To view static routes created by RRI, use the display ip routing-table command. For information
about the routing table, see Layer 3—IP Routing Configuration Guide.
If you configure an address range in IKE peer view, static IPsec RRI does not take effect.
IPsec
RRI Route destination
mode
Destination IP address
specified in a permit rule of
Static
the ACL that is referenced
by the IPsec policy
Destination IP address
specified in a permit rule of
Static
the ACL that is referenced
by the IPsec policy
Protected peer private
Dynamic
network
Protected peer private
Dynamic
network
•
Protected peer private
network
Dynamic
•
Remote tunnel
endpoint
288
Next hop address
•
Manual IPsec policy: Peer tunnel
address set with the tunnel
remote command.
•
IPsec policy that uses IKE: The
remote tunnel endpoint, which is
the address configured in the
remote-address command in IKE
view.
Address identified by the ip-address
argument.
Remote tunnel endpoint.
Address identified by the ip-address
argument, typically, the next hop
address of the interface where the
IPsec policy is applied.
•
For the route destined for the
protected peer private network, the
next hop is the remote tunnel
endpoint.
•
For the route destined for the
remote tunnel endpoint, the next
hop address is the address
specified by the ip-address
argument (outgoing interface: the
interface where the IPsec policy is
applied).