Number of IKE Tunnels and IPSec Tunnels

Discussion in 'Cisco' started by philbo30, Apr 11, 2007.

  1. philbo30

    philbo30 Guest

    The number of IPSec tunnels we have is always > the number of IKE
    tunnels. In terms of the number of "IPSEC Tunnels" listed as supported
    on a specific piece of equipment, is it fair to assume that we only
    care about the number of IPSec tunnels?

    Why is the number of IPSec tunnels greater? Wouldn't the number of
    IKE tunnels and IPSec tunnels match?
    philbo30, Apr 11, 2007
    1. Advertisements

  2. I'd say, No, you care about IKE. I haven't noticed any equipment
    rated for IPSec tunnels but not IKE tunnels (well, other than
    some of my Linksys stuff.)

    One IKE tunnel is needed between each pair of tunnel endpoints,
    and that IKE tunnel is used to negotiate the security parameters
    ("Security Association") for all the IPSec tunnels that are created
    for that pair. In turn, exactly one Security Association is needed for
    each ACL entry (it's the way IPSec works.) You usually don't want
    to be squeezed into conserving ACL entries: it isn't a good security
    practice as it tends to promote accepting more packets over the
    tunnels than is desired to be secured. Thus it is not typical to
    limit the SA's (== IPSec tunnels), but it is meaningful to limit
    the number of different gateways one can talk to (== IKE peers)
    Walter Roberson, Apr 12, 2007
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.