Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
499
Views
0
Helpful
2
Replies

IPSec Manual and SPI question

btimuralp
Level 1
Level 1

‎11-14-2002 08:31 AM - edited ‎02-21-2020 12:10 PM

Hi all,

We are impelementing IPSec manual site to site because other site doesn't

support IKE. I know that if you implement IPSec manual keying

-- ACL's for crypto map entries tagged as ipsec-manual are restricted to as

single permit entry and subsequent entries are ignored.

-- The SAs established by a manual crypto map entry are only for a single

data flow.

IKE doesn't have any restrictions like that. Is this because of IKE

automatically assigns SPI numbers to the other permit entries for the same

access-list. Or is there any other reason?

I know the solution for the IPSec manual restriction of permit entries. I

want to know why is this restriction. Because of one SPI for one permit

entry?

Any help will be really appreciated.

Best regards,

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎11-18-2002 07:56 PM

Basically yes. Each line in your ACL actually builds a separate tunnel, with unique SPI's. If you use manual keys, you can only provide one set of SPI's, and therefore, the router/firewall can only build one tunnel, hence only one line in your ACL.

With IKE, it dynamically creates unique SPI's per tunnel/ACL line, and therefore you're not limited.

0 Helpful

btimuralp
Level 1
Level 1
In response to gfullage

‎11-19-2002 12:46 AM

I was expecting this answer, thanks.

Best regards,

0 Helpful
Customers Also Viewed These Support Documents