cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

VPN SA question

Hello

 

i have a question. When we have a L2L VPN and we have enabled tunnel per gateway pair, it will create only one SA or only one pair of SAs? From what i know, SAs are undirectional, so the minimum we need is 2 for phase 2, am i right?

 

Second question, does every SA include the 'return' traffic as well (thus the whole session) or the reason we need 2nd Ipsec SA is for the return traffic? Because if it is the former, if i only need one way communication , then in theory one Ipsec SA should be enough?

0 Kudos
3 Replies
Highlighted
Admin
Admin

Re: VPN SA question

I believe you need the second SA for the return traffic, thus they are always created in pairs.
0 Kudos
Highlighted

Re: VPN SA question

The SA created from site-A to B will support the session, so the forward and return traffic. It will not support a session started from site-B to A though, so there will be a new SA created for that traffic.
Regards, Maarten
Highlighted
Ivory

Re: VPN SA question

I thought so, i just wanted to confirm by having my hands on a per gateway pair vpn to check it , but i didnt. So unless we want traffic initiated from both ends, one SA should be enough. Thanks for verifying!

0 Kudos