Configuring IPsec RRI

Restrictions and guidelines

Enabling IPsec RRI for an IPsec policy deletes all existing IPsec SAs created by this IPsec policy. IPsec RRI creates static routes according to new IPsec SAs.

Disabling IPsec RRI for an IPsec policy deletes all existing IPsec SAs created by this IPsec policy and the associated static routes.

IPsec RRI is supported in both tunnel mode and transport mode.

If you change the preference value or tag value for an IPsec policy, the device deletes all IPsec SAs created by this IPsec policy, and the associated static routes. The change takes effect for future IPsec RRI-created static routes.

IPsec RRI does not generate a static route to a destination address to be protected if the destination address is not defined in the ACL used by an IPsec policy or an IPsec policy template. You must manually configure a static route to the destination address.

In an MPLS L3VPN network, IPsec RRI can add static routes to VPN instances' routing tables.

Procedure

  1. Enter system view.

    system-view

  2. Enter IPsec policy view or IPsec policy template view.

    • Enter IPsec policy view.

      ipsec { policy | ipv6-policy } policy-name seq-number isakmp

    • Enter IPsec policy template view.

      ipsec { ipv6-policy-template | policy-template } template-name seq-number

  3. Enable IPsec RRI.

    reverse-route dynamic

    By default, IPsec RRI is disabled.

  4. (Optional.) Set the preference value for the static routes created by IPsec RRI.

    reverse-route preference number

    The default value is 60.

  5. (Optional.) Set the tag value for the static routes created by IPsec RRI.

    reverse-route tag tag-value

    The default value is 0.