Number of IKE Tunnels and IPSec Tunnels

The number of IPSec tunnels we have is always > the number of IKE
tunnels. In terms of the number of "IPSEC Tunnels" listed as supported
on a specific piece of equipment, is it fair to assume that we only
care about the number of IPSec tunnels?

Why is the number of IPSec tunnels greater? Wouldn't the number of
IKE tunnels and IPSec tunnels match?

 

I'd say, No, you care about IKE. I haven't noticed any equipment
rated for IPSec tunnels but not IKE tunnels (well, other than
some of my Linksys stuff.)

One IKE tunnel is needed between each pair of tunnel endpoints,
and that IKE tunnel is used to negotiate the security parameters
("Security Association") for all the IPSec tunnels that are created
for that pair. In turn, exactly one Security Association is needed for
each ACL entry (it's the way IPSec works.) You usually don't want
to be squeezed into conserving ACL entries: it isn't a good security
practice as it tends to promote accepting more packets over the
tunnels than is desired to be secured. Thus it is not typical to
limit the SA's (== IPSec tunnels), but it is meaningful to limit
the number of different gateways one can talk to (== IKE peers)