Vrf aware ipsec


Could there be a possibility to implement this?

The logic is easy:

A router has 1 ISP address in VRF global, it also has 1 VTI in VRF 1 with subnet A and 1 VTI in VRF 2 with subnet A.

subnet A identical

VPN to peer 1 has to always go to VRF1 and VPN to peer 2 has to always get in VRF 2. This implies the router must decrypt the tunnel in default VRF and dump it into the corresponding VRF.

I only found a mention of it in 2019 https://marc.info/?l=strongswan-users&m=117012853817126
and in charon https://wiki.strongswan.org/issues/3545