Configuring IPsec RRI
Configuration guidelines
When you enable or disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs created by this IPsec policy, and the associated static routes.
If you change the preference value or tag value for an IPsec policy, the device deletes all IPsec SAs created by this IPsec policy, and the associated static routes. Your change takes effect for future IPsec RRI-created static routes.
You can set preferences for the static routes created by IPsec RRI to flexibly apply route management policies. For example, you can set the same preference for multiple routes to the same destination to implement load sharing, or you can set different preferences to implement route backup.
You can also set tags for the static routes created by IPsec RRI to implement flexible route control through routing policies.
IPsec RRI does not generate a static route to a destination address to be protected if the destination address is not defined in the ACL used by an IPsec policy or an IPsec policy template. You must manually configure a static route to the destination address.
Configuration procedure
To configure IPsec RRI:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter IPsec policy view or IPsec policy template view. |
| N/A |
3. Enable IPsec RRI. | reverse-route dynamic | By default, IPsec RRI is disabled. IPsec RRI is supported in both tunnel mode and transport mode. |
4. Optional.) Set the preference value for the static routes created by IPsec RRI. | reverse-route preference number | The default value is 60. |
5. (Optional.) Set the tag value for the static routes created by IPsec RRI. | reverse-route tag tag-value | The default value is 0. |