Hi All,
After doing getvpn I have few confusion.. Normaly when we do site-site ipsec tunnel once the tunnel is formed and when we give sh crypto ipsec we see 2 SA's. So one SA for inbound and the other SA for outbound and we can also see 2 spi values.Here according to my observation every router will generate outbound SPI i.e the inbound SPI is generated by the opposite router.(correct me if iam wrong here) I know that SPI value will point to the policy which we are using (the transform-set) Can I say this policy is a IPSEC SA (Is this correct?). If this is correct then I can say we use 1 SA in each direction and thats the reason we have 2 SPI values. Now in case of getvpn when i do sh crypto gdoi in KS IPSec SA Direction : Both Here the KS is pushing a policy the SA in to GM's and I guess the SPI value is also generated by KS.once this is push the GM's will use this SA to encry as well as decrypt so for both the SPI values are same so when I take a trace between 2 GMs I see both using the same SPI value.So in this case if I ask a question that how many SA's are used my answer will be one (is that right?).In the sh crypto ipsec in getvpn we see inbound SA and outbound SA but both will have same SPI which is pointing to a policy downloaded from KS and the above command also tells that only 1 SA is used in both direction. Please correct me if Iam wrong. Regards imran
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
