Reverse Route Insertion
Static routes are automatically inserted into the route table for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities.
Each route is created based on the remote proxy network and prefix length sent by the peer and is inserted in the relevant route table after successful phase 1 and phase 2 negotiations.
The route preference for each of these static reverse routes is 1. This value is necessary to avoid conflict with similar routes that might be added by the routing protocol process (rpd).
No routes are added if the accepted remote proxy address is the default (0.0.0.0/0). In this case, you can run routing protocols over the IPSec tunnel to learn routes and add static routes for the traffic you want to be protected over this tunnel.
For next-hop style service sets, the reverse routes include next hops pointing to the locations specified by the inside-service-interface statements.
The selection of the routing table in which these routes are inserted depends on where you configure the inside-service-interface statement. If these interfaces are present in a VRF routing instance, then routes are added to the corresponding VRF routing table; otherwise, the routes are added to inet.0.
 | Note: Reverse route insertion takes place only for tunnels to dynamic peers. These routes are added only for next-hop style service sets. |
