KB Home KB Home Back to answers Back to Answers Back to all Knowledge Base Browse Knowledge Base Categories Printer Friendly Version Printer Friendly

How Are VPN Tunnels Counted?
Knowledge Base ID: KB4204
Version: 2.0
Published: 07 Oct 2008
Updated: 07 Oct 2008
Categories: . NS-5GT
. NS-5XP
. NS-5XT
. NS-25
. NS-50
. NS-204
. NS-208
. NS-5200
. NS-5400
. ScreenOS

Summary:
How Are VPN Tunnels Counted?

Problem or Goal:

Solution:

Note: This article applies to ScreenOS 4.0 and higher.

For IKE VPN tunnels, you can have multiple policies per tunnel. Each network included in a tunnel will constitute one Security Association (SA). Therefore, you can have multiple SAs per VPN tunnel. In a normal LAN to LAN VPN tunnel, the number of gateways configured equals the number of tunnels.

Counting of tunnels with dial-up VPN users is different. When creating dial-up VPN users, each user will count as one VPN gateway. If using a dial-up VPN group, the dial-up group IKE entry will count as one VPN gateway, and additional dial-up users will use up another VPN tunnel.

For example, there is a NetScreen-5XP that has three LAN to LAN IKE tunnels, two manual key tunnels, and one dial-up VPN group IKE entry, with 20 members in the VPN group. If no dial-up VPN users are connected, the effective number of tunnels would be six tunnels. For a NetScreen-5XP, the limit is 10 VPNs, which means there are four VPNs left for the dial-up VPN users.



Purpose:
Troubleshooting

ASK THE KB
Question or KB ID:



RELATED TOPICS