flow-vrf check disable

Function

The flow-vrf check disable command disables the check of the VPN instance in a data flow during IPSec encryption/decryption.

The undo flow-vrf check disable command enables the check of the VPN instance in a data flow during IPSec encryption/decryption.

By default, the device checks the VPN instance in data flows during IPSec encryption/decryption.

Format

flow-vrf check disable

undo flow-vrf check disable

Parameters

None

Views

Manual IPSec policy view, ISAKMP IPSec policy view, IPSec policy template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IPSec peer protects only one VPN flow. When it receives an encrypted packet, it decrypts the packet and then finds a route based on the VPN instance in an SA to forward the packet to the corresponding interface. When sending the packet, a device checks VPN instance consistency. If it finds inconsistency, it discards the packets.

When a branch connects to the headquarters and multiple VPNs are deployed in the headquarters, the branch accesses different VPNs based on services. The headquarters' IPSec tunnel can be bound to only one VPN instance, so VPNs import routes from each other for inter-VPN traffic forwarding. If a device detects VPN instance inconsistency when matching packets, it discards the packets. To prevent this problem, you need to run the flow-vrf check disable to disable the device from checking the VPN instance in data flows during IPSec encryption/decryption.

Precautions

If VPNs import routes from each other for inter-VPN traffic forwarding, IP addresses of these VPNs cannot overlap.

Example

# Disable the device from checking the VPN instance in data flows during IPSec encryption/decryption.

<sysname> system-view
[sysname] ipsec policy poli 10 isakmp
[sysname-ipsec-policy-isakmp-poli-10] flow-vrf check disable