This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex_Krikorian
Explorer
‎2019-04-22 11:41 PM

VPN SA question

Hello

 

i have a question. When we have a L2L VPN and we have enabled tunnel per gateway pair, it will create only one SA or only one pair of SAs? From what i know, SAs are undirectional, so the minimum we need is 2 for phase 2, am i right?

 

Second question, does every SA include the 'return' traffic as well (thus the whole session) or the reason we need 2nd Ipsec SA is for the return traffic? Because if it is the former, if i only need one way communication , then in theory one Ipsec SA should be enough?

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-04-23 10:15 AM

I believe you need the second SA for the return traffic, thus they are always created in pairs.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-04-23 11:10 AM

The SA created from site-A to B will support the session, so the forward and return traffic. It will not support a session started from site-B to A though, so there will be a new SA created for that traffic.
Regards, Maarten
Alex1041
Explorer
‎2019-04-23 11:49 PM
In response to Maarten_Sjouw

I thought so, i just wanted to confirm by having my hands on a per gateway pair vpn to check it , but i didnt. So unless we want traffic initiated from both ends, one SA should be enough. Thanks for verifying!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top