Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
10
Helpful
2
Replies

Crypto Map-based IPSec VPN

omz
VIP Alumni
VIP Alumni

‎07-04-2019 05:47 AM - edited ‎02-21-2020 09:41 PM

Hi all

Can someone please explain thy below statement with the help of an example?

This is one of the scalability limitations of Crypto Map-based configurations; the number of SAs does not scale linearly with the number of tunnel endpoints, as it would in either a GRE over IPsec or IPsec VTI configuration.

Thank you

 

Labels:
0 Helpful
2 Replies 2

Dennis Mink
VIP Alumni
VIP Alumni

‎07-04-2019 05:57 AM

My take on this is, if you have an IPSEC tunnel between two tunnel endpoints (public IP addresses),

 

you can have an X number of unidirectional SA's as per below pic. Depending on how complicated your protected traffic definitions are

 

166214-Screen Shot 2013-11-12 at 10.55.28 AM.png

Please remember to rate useful posts, by clicking on the stars below.

Rob Ingram
VIP
VIP

‎07-04-2019 06:15 AM

When using a Crypto Map VPN, regardless of how many interesting networks defined in the ACL there will be 2 (uni-directional) x IPSec SA.

However using a GRE tunnel or VTI there will only ever be 2 x IPSec SA per peer/tunnel endpoint, thus making a GRE/VTI more scalable than Crypto Map.

HTH
Customers Also Viewed These Support Documents