Number of IKE Tunnels and IPSec Tunnels

Discussion in 'Cisco' started by philbo30, Apr 11, 2007.

  1. philbo30

    philbo30 Guest

    The number of IPSec tunnels we have is always > the number of IKE
    tunnels. In terms of the number of "IPSEC Tunnels" listed as supported
    on a specific piece of equipment, is it fair to assume that we only
    care about the number of IPSec tunnels?

    Why is the number of IPSec tunnels greater? Wouldn't the number of
    IKE tunnels and IPSec tunnels match?
     
    philbo30, Apr 11, 2007
    #1
    1. Advertising

  2. In article <>,
    philbo30 <> wrote:
    >The number of IPSec tunnels we have is always > the number of IKE
    >tunnels. In terms of the number of "IPSEC Tunnels" listed as supported
    >on a specific piece of equipment, is it fair to assume that we only
    >care about the number of IPSec tunnels?


    I'd say, No, you care about IKE. I haven't noticed any equipment
    rated for IPSec tunnels but not IKE tunnels (well, other than
    some of my Linksys stuff.)


    >Why is the number of IPSec tunnels greater? Wouldn't the number of
    >IKE tunnels and IPSec tunnels match?


    One IKE tunnel is needed between each pair of tunnel endpoints,
    and that IKE tunnel is used to negotiate the security parameters
    ("Security Association") for all the IPSec tunnels that are created
    for that pair. In turn, exactly one Security Association is needed for
    each ACL entry (it's the way IPSec works.) You usually don't want
    to be squeezed into conserving ACL entries: it isn't a good security
    practice as it tends to promote accepting more packets over the
    tunnels than is desired to be secured. Thus it is not typical to
    limit the SA's (== IPSec tunnels), but it is meaningful to limit
    the number of different gateways one can talk to (== IKE peers)
     
    Walter Roberson, Apr 12, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Frisbee®
    Replies:
    37
    Views:
    1,142
  2. ljorg
    Replies:
    0
    Views:
    505
    ljorg
    Nov 22, 2006
  3. perfik
    Replies:
    0
    Views:
    455
    perfik
    Oct 3, 2007
  4. Cisco_King

    IPSEC and IKE

    Cisco_King, Oct 10, 2007, in forum: Cisco
    Replies:
    0
    Views:
    459
    Cisco_King
    Oct 10, 2007
  5. Cisco_King

    VPN- IPsec and IKE

    Cisco_King, Oct 14, 2007, in forum: Cisco
    Replies:
    0
    Views:
    414
    Cisco_King
    Oct 14, 2007
Loading...

Share This Page