VRP3.4 Operation Manual (V3.46a): 09-Security Operation 9.4.5. IPSec/IKE Multi-instance Configuration Example. In this example there is some mistake. We cannot ping the address 126.96.36.199 or network 188.8.131.52 on CE1 router from CE2 router with the source addresses of 184.108.40.206 or 220.127.116.11. After ping the IPSec tunnel between CE2 and PE2 is established, but not between CE1 and PE1. But next if we ping from CE1 router with the source addresses of 18.104.22.168 or 22.214.171.124 the address 126.96.36.199 or network 188.8.131.52 the IPSec tunnel is established and these addresses are available. Besides there is a mistake in ACL configuration on PE routers. We have to use VPN-instance during ACL configuration.
So the question is: where is the mistake in this configuration?
I have checked the newest software version. Everything works properly. Below you can find the improved configuration of ACL on PE routers.
acl number 3000
rule 0 permit ip vpn-instance vrf source 184.108.40.206 0.0.0.255 destination 21.21
rule 1 permit ip vpn-instance vrf source 220.127.116.11 0 destination 18.104.22.168 0
I suggest to use this software version or later when you configure IPSec MPLS.
Confirmed that it's a software bug and you can get the new version in January 2007.
(On 12/31/2006 17:28:39, Level 3 solution:)
The version VRP3.4-0109P21 has been released.
Technical Support Department examines the opinion:The version VRP3.4-0109P21 has been released.