Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2317
Views
5
Helpful
2
Replies

One SA per subnet pair.....

dgoodridge
Level 1
Level 1

‎10-01-2009 07:28 AM

Hi All,

I'll shortly be setting up a new L2L VPN between a Checkpoint and an ASA. To cut a long story short, the Checkpoint end is configured to negogiate 'one SA per subnet pair' within it's tunnel management settings. This will have to stay this way.

So the question is: Is there an equivalant setting for an ASA (ASDM and/or CLI) or failing that, does anyone knows it's default behaviour regarding SA creation?

Just trying to avoid pitfalls before I start.

Many thanks,

Doug

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎10-01-2009 11:20 AM

Doug

IPSEC SAs are neogotiated per entry in your acl on the ASA. So if you have a crypto map acl with 3 entries that will create 2 SAs per acl entry, 2 because IPSEC SAs are unidirectional.

So it sounds like the checkpoint is behaving in exactly the same way as it should as IPSEC is a standard.

Jon

dgoodridge
Level 1
Level 1
In response to Jon Marshall

‎10-01-2009 08:35 PM

Many thanks Jon.

0 Helpful
Customers Also Viewed These Support Documents