Knowledge Search


How Are VPN Tunnels Counted?

  [KB4204] Show Article Properties

How Are VPN Tunnels Counted?


Note: This article applies to ScreenOS 4.0 and higher.

For IKE VPN tunnels, you can have multiple policies per tunnel. Each network included in a tunnel will constitute one Security Association (SA). Therefore, you can have multiple SAs per VPN tunnel. In a normal LAN to LAN VPN tunnel, the number of gateways configured equals the number of tunnels.

Counting of tunnels with dial-up VPN users is different. When creating dial-up VPN users, each user will count as one VPN gateway. If using a dial-up VPN group, the dial-up group IKE entry will count as one VPN gateway, and additional dial-up users will use up another VPN tunnel.

For example, there is a NetScreen-5XP that has three LAN to LAN IKE tunnels, two manual key tunnels, and one dial-up VPN group IKE entry, with 20 members in the VPN group. If no dial-up VPN users are connected, the effective number of tunnels would be six tunnels. For a NetScreen-5XP, the limit is 10 VPNs, which means there are four VPNs left for the dial-up VPN users.

Related Links: