when studing policy based VPN it says that when a traffic match a policy a new tunnel is generated because each tunnel has its own negotiation process and SA ...
would someone please explain what does this means ????
it will setup a spearate pahse II (IPSEC) SA per flow and also a spearate tunnel
that means if you have 20 flows at the same time it will build up 20 tunnels in paralell (one per flow)
So use policy base only when you are sure that you have single or very low amounts of passing flows
A separate VPN tunnel ( Phase 2 ) will be established for each set of source-address / destination address entries in the policy or teh proxy ID configured for the VPN. In comparison, a route based VPN will create asingle phase 2 for all the traffic that goes through the VPN.