Whenever an IPSec SA is installed, the prefixes which are to encrypted are routed automatically to the tunnel peer ( a static route is injected to the routing table). When the tunnel terminates, the route is removed from the routing table.
RRI can be used where a spoke needs to form reduntant tunnels to 2 routers(using DPD) where the hub routes inject routes dynamically into internal IGP so that the network knows where the tunnel is terminating. Say, IPSec could terminate in New York and the next time it may terminate in DC and the enterprise IGP has to route accordingly. I have seen it working well on the 1700 and not so well on the VPNSM with 7600.