Question & Answer
Question
What is a Security Parameter Index (SPI) and what is it used for?
Answer
The Security Parameter Index (SPI) is an identifier used to uniquely identify both manually and dynamically established IPSec Security Associations. For manual Security Associations, the SPI is configured by the customer. For dynamic Security Associations, the SPI is generated by IKED.
A single IPSec connection can require up to four SPI values, depending on the type of IPSec protection required:
AuthOutboundSpi, for authentication traffic transmitted outbound to the remote security endpoint
AuthInboundSpi, for authentication traffic received inbound from the remote security endpoint.
EncryptOutboundSpi, for encryption traffic transmitted outbound to the remote security endpoint.
EncryptInboundSpi, for encryption traffic received inbound from the remote security endpoint.
In a manual IPSec configuration, the Security Parameter Index (SPI) values are determined by the administrator and configured beforehand on both the local and remote hosts. An SPI is specified on the following parameters of the IpManVpnAction statement:
AuthOutboundSa: the spi specified on this parameter is the AuthOutboundSpi
AuthInboundSa: the spi specified on this parameter is the AuthInboundSpi
EncryptOutboundSa: the spi specified on this parameter is the EncryptOutboundSpi
EncryptInboundSa: the spi specified on this parameter is the EncryptInboundSpi
For manual tunnels, SPI values should be chosen from the range 256 - 4096. These values are reserved by TCP/IP for use by manual tunnels and do not conflict with any dynamic tunnels.
Manual tunnel SPI values are displayed using the ipsec -p stackname -m display command.
Dynamic tunnel SPI values are displayed using the ipsec -p stackname -y display command.
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
26 May 2017
UID
dwa1377750