Table of Contents
Advertisement
Predefined user roles
network-admin
Parameters
: Specifies a next hop IP address for the IPsec RRI-created static route. If you do not
next-hop
specify a next hop IP address, the static route uses the remote IP address of the IPsec tunnel as the
next hop IP address.
: Specifies an IPv6 address.
ipv6
ip-address
Usage guidelines
IPsec RRI is usually used on a gateway device at the headquarters side in an IPsec VPN. After IPsec
RRI is enabled for an IPsec policy or an IPsec policy template on a gateway device, the gateway
device automatically creates a static route upon IPsec SA creation according to this IPsec policy or
IPsec policy template. By default, the static route uses the protected peer private network as the
destination IP address and the remote IP address of the IPsec tunnel as the next hop address. If
there are multiple paths to the remote tunnel end, you can use the
next hop IP address for the static route.
When you enable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs that are created
according to this IPsec policy. Upon IPsec SAs are renegotiated, the static routes are created.
When you disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs that are created
according to this IPsec policy, and the associated static routes.
To display the static routes created by RRI, use the
Examples
# Enable IPsec RRI to create a static route according to the IPsec SA negotiated by the specified
IPsec policy. The destination IP address is the protected peer private network 3.0.0.0/24, and the
next hop is the IP address (1.1.1.2) of the remote tunnel interface.
<Sysname> system-view
[
]
Sysname
[
Sysname-ipsec-policy-isakmp-1-1
[
Sysname-ipsec-policy-isakmp-1-1
# Display the routing table. You can see a created static route. (Other information is not shown.)
[
]
Sysname
Destination/Mask
3.0.0.0/24
# Enable IPsec RRI to create a static route according to the IPsec SA negotiated by the specified
IPsec policy. Set the next hop IP address of the static route to 2.2.2.3.
<Sysname> system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route next-hop 2.2.2.3 dynamic
[Sysname-ipsec-policy-isakmp-1-1] quit
# Display the routing table. You can see a created static route. (Other information is not shown.)
[Sysname] display ip routing-table
Destination/Mask
4.0.0.0/24
Related commands
display ip routing-table
: Specifies the next hop IPv4 or IPv6 address.
ipsec policy 1 1 isakmp
display ip routing-table
Proto
Pre
Static 60
Proto
Pre
Static 60
display ip routing-table
]
reverse-route dynamic
]
quit
Cost
NextHop
0
1.1.1.2
Cost
NextHop
0
2.2.2.3
(Layer 3—IP Routing Command Reference)
52
keyword to specify a
next-hop
command.
Interface
Vlan100
Interface
WGE1/0/1
Advertisement
Chapters
Table of Contents
