The invention provides a method and device for establishing an Internet safety protocol safety alliance. In the embodiment of the invention, a VRF identifier is carried in a negotiation message as a part of the characteristics of the flow needed to be protected for exchange in an IKE negotiation process, for example, a first negotiation message carries a VRF identifier of a first logic device, a second negotiation message carries a VRF identifier of a second logic device, an IPSec SA is established through IKE negotiation according to various VRF identifiers, and various IPSec SAs are chosen to be encrypted for the flow of various VRF identifiers according to a safety strategy. The method and device can realize that the operator provides the IP spaces which can be independently programmed to various logic devices on the basis of the VRF identifier, provides a fully isolate IPSec protection function and realizes the flow distinguishing between various companies. Besides, one IP address is adopted to protect the flows of multiple companies in order to save the IP address source of the public network.