558
undo reverse-route dynamic
Default
IPsec RRI is disabled.
Views
IPsec policy view
IPsec policy template view
Predefined user roles
network-admin
Parameters
next-hop: Specifies a next hop IP address for the IPsec PRI-created static route. If you do not
specify a next hop IP address, the static route uses the remote IP address of the IPsec tunnel as the
next hop IP address.
ipv6: Specifies an IPv6 address.
ip-address: Specifies the next hop IPv4 or IPv6 address.
Usage guidelines
IPsec RRI is usually used on a gateway device at the headquarters side in an IPsec VPN. After IPsec
RRI is enabled for an IPsec policy or an IPsec policy template on a gateway device, the gateway
device automatically creates a static route upon IPsec SA creation according to this IPsec policy or
IPsec policy template. By default, the static route uses the protected peer private network as the
destination IP address and the remote IP address of the IPsec tunnel as the next hop address. If
there are multiple paths to the remote tunnel end, you can use the next-hop command to specify a
next hop IP address for the static route.
When you enable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs that are created
according to this IPsec policy. Upon IPsec SAs are renegotiated, the static routes are created.
When you disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs that are created
according to this IPsec policy, and the associated static routes.
To display the static routes created by RRI, use the display ip routing-table command.
Examples
# Enable IPsec RRI to create a static route according to the IPsec SA negotiated by the specified
IPsec policy. The destination IP address is the protected peer private network 3.0.0.0/24, and the
next hop is the IP address (1.1.1.2) of the remote tunnel interface.
<Sysname> system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route dynamic
[Sysname-ipsec-policy-isakmp-1-1] quit
# Display the routing table. You can see a created static route. (Other information is not shown.)
[Sysname] display ip routing-table
…
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.2 GE1/0/1
# Enable IPsec RRI to create a static route according to the IPsec SA negotiated by the specified
IPsec policy. Set the next hop IP address of the static route to 2.2.2.3.
<Sysname> system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route next-hop 2.2.2.3 dynamic
[Sysname-ipsec-policy-isakmp-1-1] quit
To Next Page
Loading...
Need help?
General
