Is it possible to have IPSec policies/instances apply to packets being processed in a particular VRF? As far as I can tell IPSec policies override any VRF set up, processing all packets from all VRF domains (main included).
Regards,
Enrico.
Not in a VRF safe way, as far as i know.
I recommend doing IPSec before the packets enters the VRF (or after the packets leave the VRF).