11-14-2002 08:31 AM - edited 02-21-2020 12:10 PM
Hi all,
We are impelementing IPSec manual site to site because other site doesn't
support IKE. I know that if you implement IPSec manual keying
-- ACL's for crypto map entries tagged as ipsec-manual are restricted to as
single permit entry and subsequent entries are ignored.
-- The SAs established by a manual crypto map entry are only for a single
data flow.
IKE doesn't have any restrictions like that. Is this because of IKE
automatically assigns SPI numbers to the other permit entries for the same
access-list. Or is there any other reason?
I know the solution for the IPSec manual restriction of permit entries. I
want to know why is this restriction. Because of one SPI for one permit
entry?
Any help will be really appreciated.
Best regards,
11-18-2002 07:56 PM
Basically yes. Each line in your ACL actually builds a separate tunnel, with unique SPI's. If you use manual keys, you can only provide one set of SPI's, and therefore, the router/firewall can only build one tunnel, hence only one line in your ACL.
With IKE, it dynamically creates unique SPI's per tunnel/ACL line, and therefore you're not limited.
11-19-2002 12:46 AM
I was expecting this answer, thanks.
Best regards,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: