https://community.checkpoint.com/t5/General-Topics/VPN-SA-question/m-p/51549#M10205 <P>Hello</P><P>&nbsp;</P><P>i have a question. When we have a L2L VPN and we have enabled tunnel per gateway pair, it will create only one SA or only one pair of SAs? From what i know, SAs are undirectional, so the minimum we need is 2 for phase 2, am i right?</P><P>&nbsp;</P><P>Second question, does every SA include the 'return' traffic as well (thus the whole session) or the reason we need 2nd Ipsec SA is for the return traffic? Because if it is the former, if i only need one way communication , then in theory one Ipsec SA should be enough?</P> Tue, 23 Apr 2019 06:41:38 GMT Alex_Krikorian 2019-04-23T06:41:38Z https://community.checkpoint.com/t5/General-Topics/VPN-SA-question/m-p/51549#M10205 <P>Hello</P><P>&nbsp;</P><P>i have a question. When we have a L2L VPN and we have enabled tunnel per gateway pair, it will create only one SA or only one pair of SAs? From what i know, SAs are undirectional, so the minimum we need is 2 for phase 2, am i right?</P><P>&nbsp;</P><P>Second question, does every SA include the 'return' traffic as well (thus the whole session) or the reason we need 2nd Ipsec SA is for the return traffic? Because if it is the former, if i only need one way communication , then in theory one Ipsec SA should be enough?</P> Tue, 23 Apr 2019 06:41:38 GMT https://community.checkpoint.com/t5/General-Topics/VPN-SA-question/m-p/51549#M10205 Alex_Krikorian 2019-04-23T06:41:38Z https://community.checkpoint.com/t5/General-Topics/VPN-SA-question/m-p/51600#M10217 I believe you need the second SA for the return traffic, thus they are always created in pairs. Tue, 23 Apr 2019 17:15:35 GMT https://community.checkpoint.com/t5/General-Topics/VPN-SA-question/m-p/51600#M10217 PhoneBoy 2019-04-23T17:15:35Z https://community.checkpoint.com/t5/General-Topics/VPN-SA-question/m-p/51603#M10218 The SA created from site-A to B will support the session, so the forward and return traffic. It will not support a session started from site-B to A though, so there will be a new SA created for that traffic. Tue, 23 Apr 2019 18:10:28 GMT https://community.checkpoint.com/t5/General-Topics/VPN-SA-question/m-p/51603#M10218 Maarten_Sjouw 2019-04-23T18:10:28Z https://community.checkpoint.com/t5/General-Topics/VPN-SA-question/m-p/51628#M10225 <P>I thought so, i just wanted to confirm by having my hands on a per gateway pair vpn to check it , but i didnt. So unless we want traffic initiated from both ends, one SA should be enough. Thanks for verifying!</P> Wed, 24 Apr 2019 06:49:13 GMT https://community.checkpoint.com/t5/General-Topics/VPN-SA-question/m-p/51628#M10225 Alex1041 2019-04-24T06:49:13Z