Configuring IPsec RRI
Restrictions and guidelines
Enabling IPsec RRI for an IPsec policy deletes all existing IPsec SAs created by this IPsec policy. IPsec RRI creates static routes according to new IPsec SAs.
Disabling IPsec RRI for an IPsec policy deletes all existing IPsec SAs created by this IPsec policy and the associated static routes.
IPsec RRI is supported in both tunnel mode and transport mode.
If you change the preference value or tag value for an IPsec policy, the device deletes all IPsec SAs created by this IPsec policy, and the associated static routes. The change takes effect for future IPsec RRI-created static routes.
IPsec RRI does not generate a static route to a destination address to be protected if the destination address is not defined in the ACL used by an IPsec policy or an IPsec policy template. You must manually configure a static route to the destination address.
In an MPLS L3VPN network, IPsec RRI can add static routes to VPN instances' routing tables.
Procedure
Enter system view.
system-view
Enter IPsec policy view or IPsec policy template view.
Enter IPsec policy view.
ipsec { policy | ipv6-policy } policy-name seq-number isakmp
Enter IPsec policy template view.
ipsec { ipv6-policy-template | policy-template } template-name seq-number
Enable IPsec RRI.
reverse-route dynamic
By default, IPsec RRI is disabled.
(Optional.) Set the preference value for the static routes created by IPsec RRI.
reverse-route preference number
The default value is 60.
(Optional.) Set the tag value for the static routes created by IPsec RRI.
reverse-route tag tag-value
The default value is 0.