Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

One SA per subnet pair.....

Hi All,

I'll shortly be setting up a new L2L VPN between a Checkpoint and an ASA. To cut a long story short, the Checkpoint end is configured to negogiate 'one SA per subnet pair' within it's tunnel management settings. This will have to stay this way.

So the question is: Is there an equivalant setting for an ASA (ASDM and/or CLI) or failing that, does anyone knows it's default behaviour regarding SA creation?

Just trying to avoid pitfalls before I start.

Many thanks,

Doug

2 REPLIES
Hall of Fame Super Blue

Re: One SA per subnet pair.....

Doug

IPSEC SAs are neogotiated per entry in your acl on the ASA. So if you have a crypto map acl with 3 entries that will create 2 SAs per acl entry, 2 because IPSEC SAs are unidirectional.

So it sounds like the checkpoint is behaving in exactly the same way as it should as IPSEC is a standard.

Jon

New Member

Re: One SA per subnet pair.....

Many thanks Jon.

621
Views
5
Helpful
2
Replies