Ask the Expert

Understanding IPsec SA relationship to multiple sessions

Dear Mr. Tuomenoksa,
I

    Requires Free Membership to View

am trying to understand IPsec SA relationship to multiple sessions. Could you please answer the question pertaining to the following scenario:

A PC client with its tunnel terminated on VPN device has multiple sessions (Windows open - http, ftp) running. The PC client is configured with only one policy (all traffic is tunneled via ESP tunnel using MD5-3DES).

How many outgoing SAs will I see in the SAD on the VPN device? Only one SA or multiple SA's representing each session?
Thanks in Advance,
Mathew
Hi Mathew,
The single IPSec SA that you use to create your ESP tunnel will support all the other traffic (TCP sessions, etc.). You don't need an SA for each logical connection through the tunnel. You do however need an SA for each gateway-to-gateway connection and each client-to-gateway connection.
Best,
Mark

This was first published in January 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: