Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How Are VPN Tunnels Counted?



Article ID: KB4204 KB Last Updated: 28 Jun 2010Version: 3.0
How Are VPN Tunnels Counted?


Note: This article applies to ScreenOS 4.0 and higher.

For IKE VPN tunnels, you can have multiple policies per tunnel. Each network included in a tunnel will constitute one Security Association (SA). Therefore, you can have multiple SAs per VPN tunnel. In a normal LAN to LAN VPN tunnel, the number of gateways configured equals the number of tunnels.

Counting of tunnels with dial-up VPN users is different. When creating dial-up VPN users, each user will count as one VPN gateway. If using a dial-up VPN group, the dial-up group IKE entry will count as one VPN gateway, and additional dial-up users will use up another VPN tunnel.

For example, there is a NetScreen-5XP that has three LAN to LAN IKE tunnels, two manual key tunnels, and one dial-up VPN group IKE entry, with 20 members in the VPN group. If no dial-up VPN users are connected, the effective number of tunnels would be six tunnels. For a NetScreen-5XP, the limit is 10 VPNs, which means there are four VPNs left for the dial-up VPN users.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search