Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Tunnels

What is the relationship between VPN tunnels and VPN users. If a Cisco device says that it supports 1000 tunnels does this mean that it supports 1000 users or 500 users.

Thanks

Conan

3 REPLIES
Bronze

Re: VPN Tunnels

1000 Tunnels means 1000 IPSEC Security Associations (SA’s) established. If this is between a client PC and the concentrator, that’s one tunnel. If it’s between a router and a Concentrator, that one tunnel could have several “users” in it.

New Member

Re: VPN Tunnels

Depending on your configuration. A point to point link could mean many Tunnels. At a minimum a single SA is created for a point to point connection. Each entry in you Crypto ACL will generate a Phase 2 SA. I have seen up to 25 SAs created for a single point to point connection. For Site to Site I recommend using GRE, more robust and less ipsec overhead. SAs are then on a one to one basis.

New Member

Re: VPN Tunnels

Depends on how you define a tunnel: a tunnel normally has one IKE SA for phase one negotiation and one or more IPSec SAs for phase two negotiation. If you define a tunnel by IKE SA, then one tunnel one user; If you define a tunnel by IPSec SA, the one user could have many tunnels (as implemented by Cisco Unity client).

This applies to the vpn between client and concentrator, for lan-to-lan vpn, a tunnel is shared by many users.

209
Views
0
Helpful
3
Replies
CreatePlease login to create content