Supported Platforms
Understanding Reverse Route Insertion
Reverse route insertion (RRI) automatically inserts a static route for the remote network and hosts protected by a remote tunnel endpoint. A route is created based on the remote IP address configured in the traffic-selector. In the case of traffic selectors, the configured remote address is inserted as a route in the routing instance associated with the st0 interface that is bound to the VPN.
 | Note: Routing protocols and traffic selector configuration are mutually exclusive ways of steering traffic to a tunnel. RRI routes might conflict with routes that are populated through routing protocols. Therefore, you should not configure routing protocols on an st0 interface that is bound to a VPN on which traffic selectors are configured. |
RRI routes are inserted in the route table as follows:
- If the establish-tunnels immediately option is configured at the [edit security ipsec vpn vpn-name] hierarchy level, RRI routes are added after Phase 1 and Phase 2 negotiations are complete. Because a route is not added until SAs are established, a failed negotiation does not result in traffic being routed to a st0 interface that is down. An alternate or backup tunnel is used instead.
- If the establish-tunnels immediately option is not configured at the [edit security ipsec vpn vpn-name] hierarchy level, RRI routes are added at configuration commit.
- An RRI route is not added if the configured or negotiated remote address in a traffic selector is 0.0.0.0/0 or 0::0.
The route preference for the static RRI is 5. This value is necessary to avoid conflict with similar routes that might be added by a routing protocol process.
