Solved: Site-to-Site VPN

cool rohan · ‎07-18-2017

If you create a site-to-site vpn how many SA are created total some are saying 2 and some are saying 3 which is correct

In phase 1 one sa will created and in phase 2 two unidirectional sa will be created so there will be total 3 sa or 2 sa ?

I am confused

Rahul Govindan · ‎07-18-2017

Usually its one phase 1 SA, two phase 2 SA's per crypto ACL. The Phase 2 SA's are usually a pair of inbound and outbound SA's, each with its own SPI (identifier).

Some terminology may categorize the inbound and outbound phase 2 SA as a single SA, causing the confusion as you mentioned.

View solution in original post

Rahul Govindan · ‎07-18-2017

Usually its one phase 1 SA, two phase 2 SA's per crypto ACL. The Phase 2 SA's are usually a pair of inbound and outbound SA's, each with its own SPI (identifier).

Some terminology may categorize the inbound and outbound phase 2 SA as a single SA, causing the confusion as you mentioned.

Karsten Iwen · ‎07-18-2017

Little (but relevant) typo: It has to read "two phase 2 SA's per crypto ACE". There could be more than one ACL (one per crypto map), but each ACE within that ACL can generate a pair of SAs.

Rahul Govindan · ‎07-18-2017

Karsten, You are right :) Should be crypto ACE or crypto ACL entry/line instead of simply ACL.