Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

IPSec Manual and SPI question

Hi all,

We are impelementing IPSec manual site to site because other site doesn't

support IKE. I know that if you implement IPSec manual keying

-- ACL's for crypto map entries tagged as ipsec-manual are restricted to as

single permit entry and subsequent entries are ignored.

-- The SAs established by a manual crypto map entry are only for a single

data flow.

IKE doesn't have any restrictions like that. Is this because of IKE

automatically assigns SPI numbers to the other permit entries for the same

access-list. Or is there any other reason?

I know the solution for the IPSec manual restriction of permit entries. I

want to know why is this restriction. Because of one SPI for one permit


Any help will be really appreciated.

Best regards,

Cisco Employee

Re: IPSec Manual and SPI question

Basically yes. Each line in your ACL actually builds a separate tunnel, with unique SPI's. If you use manual keys, you can only provide one set of SPI's, and therefore, the router/firewall can only build one tunnel, hence only one line in your ACL.

With IKE, it dynamically creates unique SPI's per tunnel/ACL line, and therefore you're not limited.

Community Member

Re: IPSec Manual and SPI question

I was expecting this answer, thanks.

Best regards,

CreatePlease to create content