You can configure Internet Key Exchange (IKE) gateway IP addresses that are present in a VPN routing and forwarding (VRF) instance as long as the peer is reachable through the VRF instance.
For next-hop service sets, the key management process (kmd) places the IKE packets in the routing instance that contains the outside-service-interface value you specify, as in this example:
- routing-instances vrf-nxthop {
- instance-type vrf;
- interface sp-1/1/0.2;
- ...
- }
- services service-set service-set-1 {
-
- next-hop-service {
- inside-service-interface sp-1/1/0.1;
- outside-service-interface sp-1/1/0.2;
- }
- ...
- }
For interface service sets, the service-interface statement determines the VRF, as in this example:
- routing-instances vrf-intf {
- instance-type vrf;
- interface sp-1/1/0.3;
- interface ge-1/2/0.1; # interface on which service set
is applied
- ...
- }
- services service-set service-set-2 {
-
- interface-service {
- service-interface sp-1/1/0.3;
- }
- ...
- }