Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

IPSec Manual and SPI question

Unanswered Question
Nov 14th, 2002
User Badges:

Hi all,

We are impelementing IPSec manual site to site because other site doesn't

support IKE. I know that if you implement IPSec manual keying

-- ACL's for crypto map entries tagged as ipsec-manual are restricted to as

single permit entry and subsequent entries are ignored.

-- The SAs established by a manual crypto map entry are only for a single

data flow.

IKE doesn't have any restrictions like that. Is this because of IKE

automatically assigns SPI numbers to the other permit entries for the same

access-list. Or is there any other reason?

I know the solution for the IPSec manual restriction of permit entries. I

want to know why is this restriction. Because of one SPI for one permit


Any help will be really appreciated.

Best regards,

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Mon, 11/18/2002 - 19:56
User Badges:
  • Cisco Employee,

Basically yes. Each line in your ACL actually builds a separate tunnel, with unique SPI's. If you use manual keys, you can only provide one set of SPI's, and therefore, the router/firewall can only build one tunnel, hence only one line in your ACL.

With IKE, it dynamically creates unique SPI's per tunnel/ACL line, and therefore you're not limited.

btimuralp Tue, 11/19/2002 - 00:46
User Badges:

I was expecting this answer, thanks.

Best regards,


This Discussion