ipsec generate-service-route

Function

The ipsec generate-service-route command enables the function of automatic IPSec service route generation.

The undo ipsec generate-service-route command disables the function of automatic IPSec service route generation.

By default, the function of automatic IPSec service route generation is enabled.

This command is supported only on the NetEngine 8000 F1A.

Format

ipsec generate-service-route

undo ipsec generate-service-route

Parameters

None

Views

Tunnel interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ike	write

Usage Guidelines

When IPSec tunnels are being established, data flows to be protected need to be defined. The IPSec service route information, such as the IP address and interface of the remote end of the tunnel, specifies which tunnels the protected data flow will enter. The ipsec generate-service-route command is mainly applied to the following two scenarios:

When a security policy is used to establish IPSec tunnels, you may not know the IPSec service route information of the remote end (such as the IP address and interface of the remote end). Therefore, static routes cannot be configured manually. In this case, run the ipsec generate-service-route command to enable the function of automatic IPSec service route generation.
When IPSec tunnels are established using a security policy, IPSec service routes will be generated during the IPSec negotiation. If you want to generate an IPSec service route by configuring static routes, you can run the undo ipsec generate-service-route command to disable the function of automatic IPSec service route generation first.

Example

# Enable the function of automatic IPSec service route generation.

<HUAWEI> system-view
[~HUAWEI] interface Tunnel 10
[*HUAWEI-Tunnel10] tunnel-protocol ipsec
[*HUAWEI-Tunnel10] ipsec generate-service-route