Why does using multiple sets of specific ip's to specific ip's in a crypto ACL – cause instability in VPN tunnels, please relate this to phase 2 SA's (IPSEC).
Ex.
172.16.0.0 -> 10.0.0.0
172.17.0.0 -> 10.0.0.0
10.132.0.0 -> 10.0.0.0
vs.
any -> 10.0.0.0
OR
172.16.0.0 -> 10.0.0.0
172.16.0.0 -> 12.0.0.0
10.132.0.0 -> 13.0.0.0
vs.
any -> any (and using ACL's on interface or VPN-filter to limit traffic across).
Best Answer
If you're talking Cisco, each acl record is it's own SA (tunnel). FWIW, the Cisco PIX/ASA will not allow an "any" rule. (which is why an IOS tunnel interface cannot terminate to a PIX/ASA.)
What sort of instability are you seeing? If one rule works, they should all work. Yes, there will be a delay if the SA isn't setup yet. The only issue I can think of would be where IPsec is passing through a NAT device that cannot keep track of multiple streams.