Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ashish_solanki1
Participant

Reducing SA's

Hello Everyone... Can someone please let me know the different ways of reducing the number of SA's in checkpoint VPN? Thanks

0 Kudos
1 Reply
Timothy_Hall
Legend Legend
Legend

The "VPN tunnel sharing" setting under Tunnel Management in the VPN Community object controls the number of IPSec SAs that are generated.  "Pair of hosts" will make the most individual IPSec SAs while "one VPN tunnel per gateway pair" will make only one "universal" (i.e. 0.0.0.0/0) IPSec tunnel between the gateways. "Per subnet pair" is the default and is usually the most appropriate setting, the number of SAs it generates is somewhere between the other two settings depending on your VPN domain configuration.

Be warned though that changing this setting in a VPN Community with an Externally Managed Gateway or Interoperable Device peer as part of it is likely to break the tunnel, unless the peer's configuration has been updated to match the change you are making.

--
My book "Max Power: Check Point Firewall Performance Optimization"
now available via http://maxpowerfirewalls.com.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events