< Home

(Optional) Configuring IPSec VPN Multi-instance

Context

If an SA is established in manual mode, you can bind a VPN instance to an IPSec tunnel in an IPSec policy. If an SA is established in IKE negotiation mode, you can bind a VPN instance to an IPSec tunnel on an IKE peer. For details, see (Optional) Configuring IPSec VPN Multi-instance.

IPSec IPv6 does not support IPSec VPN Multi-instance.

When multiple branches connected to the headquarters network across the Internet using IPSec, you can configure IPSec VPN Multi-instance, thereby isolating traffic of different branches.

Prerequisites

Before configuring IPSec VPN multi-instance, ensure that the following operations have been performed:

  1. Run the ip vpn-instance vpn-instance-name and route-distinguisher route-distinguisher commands to configure a VPN instance and its RD.

  2. Run the acl [ number ] acl-number vpn-instance vpn-instance-name command to define a VPN instance bound to the ACL used to protect data flows.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ipsec policy policy-name seq-number manual

    An IPSec policy is created in manual mode and the IPSec policy view is displayed.

  3. Run sa binding vpn-instance vpn-instance-name

    A VPN instance is bound to an IPSec tunnel.

    The VPN instance specified by vpn-instance-name must have been created using the ip vpn-instance command, and must be the same as the VPN instance bound to the ACL that is referenced by an IPSec policy.

    The IPSec policy bound to a VPN instance cannot be applied to a Layer 2 interface.

Parent Topic: Using an ACL to Establish an IPSec Tunnel-CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >