Configuring tunnel interface-based ipsec – H3C Technologies H3C SecPath F1000-E User Manual

Page 197

Advertising
background image

185

The dynamic mode applies to scenarios where the topologies of branch networks change frequently. For

example, when branches have dial-in users, you can configure dynamic IPsec RRI to avoid frequent
configuration changes that are otherwise required on the headquarters gateway.
A good practice is to configure IPsec RRI on a headquarters gateway to create static routes for the IPsec

tunnels to branches. For the static routes, you can perform the following operations:

Change their route preference for equal-cost multipath (ECMP) routing or route backup. If multiple
routes to the same destination have the same preference, traffic is balanced among them. If multiple
routes to the same destination have different preference values, the route with the highest preference

forwards traffic and all other routes are backup routes.

Change their tag value so the gateway can control the use of the static routes based on routing
policies.

To configure IPsec RRI:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter IPsec policy view or

IPsec policy template view.

To enter IPsec policy view:
ipsec policy policy-name

seq-number [ isakmp | manual ]

To enter IPsec policy template

view:

ipsec policy-template

template-name seq-number

Configure either command.

3.

Enable IPsec RRI.

reverse-route [ remote-peer
ip-address [ gateway | static ] |

static ]

Disabled by default.
To enable static IPsec RRI, specify
the static keyword. If the keyword

is not specified, dynamic IPsec
RRI is enabled.

4.

Change the preference of

the static routes created by
IPsec RRI.

reverse-route preference
preference-value

Optional.
60 by default.

5.

Set a tag for the static routes

created by IPsec RRI.

reverse-route tag tag-value

Optional.
0 by default.

NOTE:

IPsec RRI can work in both tunnel mode and transport mode.

When you change the route attributes, static IPsec RRI deletes all static routes it has created and creates
new static routes. In contrast, dynamic IPsec RRI applies the new attributes only to subsequent static

routes. It does not delete or modify static routes it has created.

Configuring tunnel interface-based IPsec

NOTE:

The tunnel interface-based IPsec configuration is available only at the CLI.

Advertising