Cisco Cisco Packet Data Gateway (PDG)
SecGW Changes in Release 16
▀ SecGW Enhancements for 16.0
▄ Release Change Reference, StarOS Release 16
456
CSCug99134 - RRI For Remote Access
Feature Changes
RRI Support for RAS IPSec
Security Gateway (SecGW) now supports Reverse Route Injection (RRI) for Remote Access Service (RAS) IPSec
deployment mode.
deployment mode.
RRI injects routes in the reverse direction onto the ASR 9000 VSM (IOS-XR blade) so that clear traffic can be routed to
the correct interface on the target VSM. The OneP (ConnectedApps [CA]) library provides the necessary API calls to
CA clients to communicate to the oneP server (running on IOS-XR).
the correct interface on the target VSM. The OneP (ConnectedApps [CA]) library provides the necessary API calls to
CA clients to communicate to the oneP server (running on IOS-XR).
The RRI feature is used in conjunction with the StarOS SecGW to deal with Site-to-Site (S2S) IPSec SAs. RRI route
transaction is initiated is when a tunnel SA is being created.
transaction is initiated is when a tunnel SA is being created.
For detailed information, see Security Gateway Administration Guide and QvPC-VSM System Administration Guide.
Command Changes
ip rri-remote-access
This new command configures RRI remote access mode parameters. This command is only required for Remote Access
Service configurations.
Service configurations.
configure
context context_name
ip rri-remote-access { ip_address | next-hop nexthop_address } interface
interface_name [ vrf vrf_name ]
interface_name [ vrf vrf_name ]
Notes:
ip_address and next_address can be specified in IPv4 dotted-decimal or IPv6 colon-separated-hexadecimal
format.
The next hop IP address is not required for point-to-point and tunnel interfaces.
interface_name specifies the egress interface.
ip rri-route
This new command configures RRI route parameters.
configure
context context_name
ip rri-route network-mode { L2 | L3 } { clear_loopback_ip | rri-ip
virtual_ip_address } { ip_address | next-hop nexthop_address } interface interface_name [
vrf vrf_name ]
virtual_ip_address } { ip_address | next-hop nexthop_address } interface interface_name [
vrf vrf_name ]
end