Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation

Understanding Reverse Route Insertion

Reverse route insertion (RRI) automatically inserts a static route for the remote network and hosts protected by a remote tunnel endpoint. A route is created based on the remote IP address configured in the traffic-selector. In the case of traffic selectors, the configured remote address is inserted as a route in the routing instance associated with the st0 interface that is bound to the VPN.

Note: Routing protocols and traffic selector configuration are mutually exclusive ways of steering traffic to a tunnel. RRI routes might conflict with routes that are populated through routing protocols. Therefore, you should not configure routing protocols on an st0 interface that is bound to a VPN on which traffic selectors are configured.

RRI routes are inserted in the route table as follows:

  • If the establish-tunnels immediately option is configured at the [edit security ipsec vpn vpn-name] hierarchy level, RRI routes are added after Phase 1 and Phase 2 negotiations are complete. Because a route is not added until SAs are established, a failed negotiation does not result in traffic being routed to a st0 interface that is down. An alternate or backup tunnel is used instead.
  • If the establish-tunnels immediately option is not configured at the [edit security ipsec vpn vpn-name] hierarchy level, RRI routes are added at configuration commit.
  • An RRI route is not added if the configured or negotiated remote address in a traffic selector is 0.0.0.0/0 or 0::0.

The route preference for the static RRI is 5. This value is necessary to avoid conflict with similar routes that might be added by a routing protocol process.

Modified: 2013-10-16

Supported Platforms

Modified: 2013-10-16