Hello Everyone... Can someone please let me know the different ways of reducing the number of SA's in checkpoint VPN? Thanks
The "VPN tunnel sharing" setting under Tunnel Management in the VPN Community object controls the number of IPSec SAs that are generated. "Pair of hosts" will make the most individual IPSec SAs while "one VPN tunnel per gateway pair" will make only one "universal" (i.e. 0.0.0.0/0) IPSec tunnel between the gateways. "Per subnet pair" is the default and is usually the most appropriate setting, the number of SAs it generates is somewhere between the other two settings depending on your VPN domain configuration.
Be warned though that changing this setting in a VPN Community with an Externally Managed Gateway or Interoperable Device peer as part of it is likely to break the tunnel, unless the peer's configuration has been updated to match the change you are making.
-- My book "Max Power: Check Point Firewall Performance Optimization" now available via http://maxpowerfirewalls.com.
Retrieving data ...