171
Step Command Remarks
2. Enable invalid SPI recovery.
ipsec invalid-spi-recovery
enable
Optional.
Disabled by default.
Configuring IPsec RRI
IPsec RRI operates in static mode or dynamic mode.
Static IPsec RRI
Static IPsec RRI creates static routes based on the destination address information in the ACL that
the IPsec policy references. The next hop address of the route is a user specified remote peer
address, or the IP address of the remote tunnel endpoint.
Static IPsec RRI creates static routes immediately after you enable IPsec RRI in an IPsec policy and
apply the IPsec policy. When you disable RRI, or remove the ACL or the peer gateway IP address
from the policy, IPsec RRI deletes all static routes it has created.
The static mode applies to scenarios where the topologies of branch networks seldom change.
Dynamic IPsec RRI
Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. In each static route, the
destination address is the address of a protected branch network, and the next hop is the
user-specified remote peer address or the remote tunnel endpoint's address learned during IPsec
SA negotiation.
Dynamic IPsec RRI creates static routes when the IPsec SAs are established, and deletes the static
routes when the IPsec SAs are deleted.
The dynamic mode applies to scenarios where the topologies of branch networks change frequently.
For example, when branches have dial-in users, you can configure dynamic IPsec RRI to avoid
frequent configuration changes that are otherwise required on the headquarters gateway.
A good practice is to configure IPsec RRI on a headquarters gateway to create static routes for the
IPsec tunnels to branches. For the static routes, you can perform the following operations:
• Change their route preference for ECMP routing or route backup. If multiple routes to the same
destination have the same preference, traffic is balanced among them. If multiple routes to the
same destination have different preference values, the route with the highest preference
forwards traffic and all other routes are backup routes.
• Change their tag value so the gateway can control the use of the static routes based on routing
policies.
To configure IPsec RRI:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter IPsec policy view or
IPsec policy template
view.
• To enter IPsec policy view:
ipsec policy policy-name
seq-number [ isakmp | manual ]
• To enter IPsec policy template
view:
ipsec policy-template
template-name seq-number
Use either command.
To Next Page
Loading...
Need help?
General
