I have red that page many times and search for manual keying also. . But that didn't answer my question. Anyway I got an answer from cisco group saying that
Basically yes. Each line in your ACL actually builds a separate tunnel, with unique SPI's. If you use manual keys, you can only provide one set of SPI's, and therefore, the router/firewall can only build one tunnel, hence only one line in your ACL. With IKE, it dynamically creates unique SPI's per tunnel/ACL line, and therefore you're not limited. Best regards, Cisco Breaker ""Brunner Joseph"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I think your confusing SPI with a "CBAC" technology. AN spi is a > uni-directional IPSEC peer transform set hash (agreement on what your using > with your IPSEC PEER). > > An SPI is made in each direction to each peer. The Access-list permits > flag traffic (matched by the router) as "permitted for IPSEC". > The access-list being referenced in the "Crypto map" will make sure > the permits get applied ipsec and sent to the peer. > > > I think reading this simple page will clear any misconceptions or questions > you may have about IPSEC/MANUAL (NO IKE). > > http://www.cisco.com/warp/public/707/manual.shtml > > And by the way, IKE is really a CONVENIENCE protocol, which was made > popular by adding autonegotiation for IPSEC PHASE 1 and added some > great security features like key management and secure key exchange > (SKEME/OAKLEY). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57688&t=57448 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
