262
To do…
Command…
Remarks
2.
Enable invalid SPI recovery.
ipsec invalid-spi-recovery enable
Optional
Disabled by default
Configuring IPsec RRI
IPsec RRI works in static mode or dynamic mode.
1.
Static IPsec RRI
Static IPsec RRI creates static routes based on the destination address information in the ACL that the
IPsec policy references. The next hop address of the route is a user specified remote peer address or the
IP address of the remote tunnel endpoint.
Static IPsec RRI creates static routes immediately after you enable IPsec RRI in an IPsec policy and apply
the IPsec policy. When you disable RRI or remove the ACL or the peer gateway IP address from the
policy, IPsec RRI deletes all static routes it has created.
The static mode applies to scenarios where the topologies of branch networks seldom change.
2.
Dynamic IPsec RRI
Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. In each static route, the
destination address is the address of a protected branch network, and the next hop is the user-specified
remote peer address or the remote tunnel endpoint's address learned during IPsec SA negotiation.
Dynamic IPsec RRI creates static routes when the IPsec SAs are established and deletes the static routes
when the IPsec SAs are deleted.
The dynamic mode applies to scenarios where the topologies of branch networks change frequently. For
example, when branches have dial-in users, configure dynamic IPsec RRI to avoid frequent configuration
changes that are otherwise required on the headquarters gateway.
A good practice is to configure IPsec RRI on a headquarters gateway to create static routes for the IPsec
tunnels to branches. For the static routes, perform the following operations:
•
Change their route preference for ECMP routing or route backup. If multiple routes to the same
destination have the same preference, traffic is balanced among them. If multiple routes to the same
destination have different preference values, the route with the highest preference forwards traffic,
and all other routes are backup routes.
•
Change their tag value so that the gateway can control the use of the static routes based on routing
policies.
To configure IPsec RRI:
To do…
Command…
Remarks
1.
Enter system view.
system-view
—
2.
Enter IPsec policy view or
IPsec policy template view.
ipsec
policy
policy-name
seq-number
[
isakmp
|
manual
]
Required.
Configure either command.
ipsec
policy-template
template-name
seq-number