< Home

sa binding vpn-instance

Function

The sa binding vpn-instance command binds a VPN instance to an IPSec tunnel.

The undo sa binding vpn-instance command deletes a VPN instance from an IPSec tunnel.

By default, no VPN instance is bound to an IPSec tunnel.

The virtual system does not support this command.

Format

sa binding vpn-instance vpn-instance-name

undo sa binding vpn-instance

Parameters

Parameter Description Value
vpn-instance-name Specifies the name of the VPN instance to be bound to an IPSec tunnel.

The value must be an existing VPN instance name.

Views

IKE peer view, manual IPSec policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When multiple branches connected to the headquarters network across the Internet using IPSec, you can run the sa binding vpn-instance command to bind each VPN instance to an IPSec tunnel, thereby isolating traffic of different branches.

When configuring IPSec multi-instance, note the following points:
  • If an IPSec policy is created using IKE and no VPN instance is specified, run the sa binding vpn-instance command in the IKE peer view to specify the VPN instance bound to the IPSec tunnel. The bound domain must be the same as the domain bound to the virtual interface that is generated during VPN instance creation.
  • If an IPSec policy is created manually, run the sa binding vpn-instance command in the manual IPSec policy view to specify the VPN instance bound to the IPSec tunnel.
  • In IPsec multi-instance, the security zone of decapsulated packets shall be identified with the decrypted packets inspection function. Therefore, the decrypted packets inspection function shall be enabled.

Prerequisites

The VPN instance has been created using the ip vpn-instance command and the route distinguisher (RD) has been configured for the VPN instance using the route-distinguisher command.

Precautions

The VPN instance specified by the sa binding vpn-instance command must be the same as the VPN instance bound to the ACL referenced by the IPSec tunnel.

IPSec IPv6 does not support IPSec VPN Multi-instance.

Example

# Configure the VPN instance vpna that IPSec tunnel traffic belongs to in the IPSec policy in manual mode.

<sysname> system-view
[sysname] ip vpn-instance vpna
[sysname-vpn-instance-vpna] ipv4-family
[sysname-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[sysname-vpn-instance-vpna-af-ipv4] quit
[sysname-vpn-instance-vpna] quit
[sysname] ipsec policy policy1 100 manual
[sysname-ipsec-policy-manual-policy1-100] sa binding vpn-instance vpna
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >