cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
338
Views
0
Helpful
2
Replies

IPSec Manual and SPI question

btimuralp
Level 1
Level 1

Hi all,

We are impelementing IPSec manual site to site because other site doesn't

support IKE. I know that if you implement IPSec manual keying

-- ACL's for crypto map entries tagged as ipsec-manual are restricted to as

single permit entry and subsequent entries are ignored.

-- The SAs established by a manual crypto map entry are only for a single

data flow.

IKE doesn't have any restrictions like that. Is this because of IKE

automatically assigns SPI numbers to the other permit entries for the same

access-list. Or is there any other reason?

I know the solution for the IPSec manual restriction of permit entries. I

want to know why is this restriction. Because of one SPI for one permit

entry?

Any help will be really appreciated.

Best regards,

2 Replies 2

gfullage
Cisco Employee
Cisco Employee

Basically yes. Each line in your ACL actually builds a separate tunnel, with unique SPI's. If you use manual keys, you can only provide one set of SPI's, and therefore, the router/firewall can only build one tunnel, hence only one line in your ACL.

With IKE, it dynamically creates unique SPI's per tunnel/ACL line, and therefore you're not limited.

I was expecting this answer, thanks.

Best regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: