For IPsec a 32-bit SPI semi-uniquely identifies an IPsec SA.
It's a best practice to uncheck parameters in the VPN tunnel options that aren't needed with the customer gateway for the VPN connection.
1 Peer proposed phase1 proposal conflicts with local configuration. This is particularly useful for the folks out there reading this that only have access to only one side of the VPN or have a VPN to a 3rd party.
In certain cases an IPsec tunnel may show what appear to be duplicate IKE (Phase 1) or Child (Phase 2) security association (SA) entries. redacted crypto map OUTSIDE_VPN 80 set ikev1 transform-set L2L_AZURE crypto map OUTSIDE_VPN 80 set security-association lifetime seconds 3600 crypto map OUTSIDE_VPN 80 set. The most common problem with IPsec VPN tunnels is a mismatch between the proposals offered between each party. The period between each renegotiation is known as the lifetime. IPSec configuration! ! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick! mode security association.Source and destination IP address of the resulting IPsec header.
Each security association deļ¬nes the following parameters: Since these SAs are unidirectional the ESP/AH header contains only the SPI of the destination's inbound SA (unlike the IKE header which always contains both SPIs). Example: > show security ike security-association > show security ipsec security-association Total active tunnels: 1 IKE lifetime or SA/IPsec lifetime are not set to the same values on each end of the tunnel respectively.