Number of IKE Tunnels and IPSec Tunnels

The number of IPSec tunnels we have is always > the number of IKE tunnels. In terms of the number of "IPSEC Tunnels" listed as supported on a specific piece of equipment, is it fair to assume that we only care about the number of IPSec tunnels?

Why is the number of IPSec tunnels greater? Wouldn't the number of IKE tunnels and IPSec tunnels match?

Reply to
philbo30
Loading thread data ...

I'd say, No, you care about IKE. I haven't noticed any equipment rated for IPSec tunnels but not IKE tunnels (well, other than some of my Linksys stuff.)

One IKE tunnel is needed between each pair of tunnel endpoints, and that IKE tunnel is used to negotiate the security parameters ("Security Association") for all the IPSec tunnels that are created for that pair. In turn, exactly one Security Association is needed for each ACL entry (it's the way IPSec works.) You usually don't want to be squeezed into conserving ACL entries: it isn't a good security practice as it tends to promote accepting more packets over the tunnels than is desired to be secured. Thus it is not typical to limit the SA's (== IPSec tunnels), but it is meaningful to limit the number of different gateways one can talk to (== IKE peers)

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.