Virtual Routing and Forwarding allows a router to handle multiple  independent instances of a routing table. Therefore a single router can  handle overlapping IP addresses and routes, provided that they are in  different VRF instances.


This has an impact on all protocols handling interfaces, IP addresses  or routes. In the case of IPsec, Security Policies (SPs) and Security  Associations (SAs) are extended with VRF information to take into  account the VRF of the packets before and after IPsec processing. As a  result of this, the IKE protocol, which is responsible for dynamically  negotiating SPs and SAs, also handles VRFs.


For performance reasons, 6WIND has extended its IKE daemon to handle  multiple VRFs, instead of using one daemon per VRF instance. The IKE  daemon’s APIs, configuration interfaces (configuration files and tools,  CLI), kernel interface (IKE UDP socket), IKE protocol implementation and  test tools have been extended to support VRF identifiers.


We would be happy to hear about your IKE and Virtual Routing use  cases. Please don’t hesitate to provide feedback using the comments  section.