(Optional) Configuring IPSec VPN Multi-instance
Context
When multiple branches connected to the headquarters network across the Internet using IPSec, you can configure IPSec VPN Multi-instance, thereby isolating traffic of different branches.
Binding a VPN instance in SA mode
Binding a VPN instance in IKE user mode
When a VPN instance is bound to traffic in SA mode, the device determines the VPN instance to which site traffic passing through the IPSec tunnel belongs by the user type, isolating traffic from different sites. A VPN instance bound in SA mode has a higher priority than a VPN instance bound in IKE user mode.
The configuration takes effect only on the initiator of an IPSec tunnel. The initiator needs to obtain the outbound interface when sending packets. The packets received by the remote peer contain the VPN attribute, so the remote peer can still receive packets when no VPN is specified for it.
If an IPSec policy references an IKE peer bound to a VPN instance, the IPSec policy cannot be applied to a Layer 2 interface.
IPSec IPv6 does not support IPSec VPN Multi-instance.
Prerequisites
Before configuring IPSec VPN multi-instance, ensure that the following operations have been performed:
Run the ip vpn-instance vpn-instance-name and route-distinguisher route-distinguisher commands to configure a VPN instance and its RD.
(Optional) Run the ip binding vpn-instance vpn-instance-name command to bind the VPN instance to an IPSec tunnel interface where an IPSec policy has been applied.
When the tunnel interface is used for inter-VPN forwarding, perform this step. You are advised to use the tunnel interface for inter-VPN forwarding.
Run the acl [ number ] acl-number vpn-instance vpn-instance-name command to define a VPN instance bound to the ACL used to protect data flows.
Procedure
- Binding a VPN instance in SA mode
Run system-view
The system view is displayed.
Run ike peer peer-name
An IKE peer is created and the IKE peer view is displayed.
Run sa binding vpn-instance vpn-instance-name
A VPN instance that IPSec tunnel traffic belongs to is specified.
By default, a VPN instance that IPSec tunnel traffic belongs to is not configured.
The VPN instance specified by vpn-instance-name must have been created using the ip vpn-instance command, and must be the same as the VPN instance bound to the IPSec tunnel interface where an IPSec policy has been applied or bound to the ACL that is referenced by an IPSec policy.
- Binding a VPN instance in IKE user mode
Run system-view
The system view is displayed.
Run ike user-table user-table-id
An IKE user table is created and its view is displayed, or the view of an existing IKE user table is displayed directly.
Run user user-name
An IKE user is created and its view is displayed, or the view of an existing IKE user is displayed directly.
Run vpn-instance-traffic { public | name vpn-instance-name }
A VPN instance corresponding to user traffic of the IKE user table is configured.
By default, the VPN instance corresponding to user traffic of the IKE user table is not configured.
The VPN instance specified by vpn-instance-name must have been created using the ip vpn-instance command, and must be the same as the VPN instance bound to the IPSec tunnel interface where an IPSec policy has been applied or bound to the ACL that is referenced by an IPSec policy.
Run quit
Return to the IKE user table view.
Run quit
Return to the system view.
Run ike peer peer-name
The IKE peer view is displayed.
Run user-table user-table-id
An IKE user table is reference in the IKE peer.