Dear Mr. Tuomenoksa,
I am trying to understand IPsec SA relationship to multiple sessions. Could you please answer the question pertaining to the following scenario:
A PC client with its tunnel terminated on VPN device has multiple sessions (Windows open - http, ftp) running. The PC client is configured with only one policy (all traffic is tunneled via ESP tunnel using MD5-3DES).
How many outgoing SAs will I see in the SAD on the VPN device? Only one SA or multiple SA's representing each session?
Thanks in Advance,
The single IPSec SA that you use to create your ESP tunnel will support all the other traffic (TCP sessions, etc.). You don't need an SA for each logical connection through the tunnel. You do however need an SA for each gateway-to-gateway connection and each client-to-gateway connection.