Configuring tunnel interface-based ipsec – H3C Technologies H3C SecPath F1000-E User Manual
Page 197
185
The dynamic mode applies to scenarios where the topologies of branch networks change frequently. For
example, when branches have dial-in users, you can configure dynamic IPsec RRI to avoid frequent
configuration changes that are otherwise required on the headquarters gateway.
A good practice is to configure IPsec RRI on a headquarters gateway to create static routes for the IPsec
tunnels to branches. For the static routes, you can perform the following operations:
•
Change their route preference for equal-cost multipath (ECMP) routing or route backup. If multiple
routes to the same destination have the same preference, traffic is balanced among them. If multiple
routes to the same destination have different preference values, the route with the highest preference
forwards traffic and all other routes are backup routes.
•
Change their tag value so the gateway can control the use of the static routes based on routing
policies.
To configure IPsec RRI:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Enter IPsec policy view or
IPsec policy template view.
•
To enter IPsec policy view:
ipsec policy policy-name
seq-number [ isakmp | manual ]
•
To enter IPsec policy template
view:
ipsec policy-template
template-name seq-number
Configure either command.
3.
Enable IPsec RRI.
reverse-route [ remote-peer
ip-address [ gateway | static ] |
static ]
Disabled by default.
To enable static IPsec RRI, specify
the static keyword. If the keyword
is not specified, dynamic IPsec
RRI is enabled.
4.
Change the preference of
the static routes created by
IPsec RRI.
reverse-route preference
preference-value
Optional.
60 by default.
5.
Set a tag for the static routes
created by IPsec RRI.
reverse-route tag tag-value
Optional.
0 by default.
NOTE:
•
IPsec RRI can work in both tunnel mode and transport mode.
•
When you change the route attributes, static IPsec RRI deletes all static routes it has created and creates
new static routes. In contrast, dynamic IPsec RRI applies the new attributes only to subsequent static
routes. It does not delete or modify static routes it has created.
Configuring tunnel interface-based IPsec
NOTE:
The tunnel interface-based IPsec configuration is available only at the CLI.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS