Yes, it should match (meaning that the tunnel ID seen in the "get sa" should be the same as what is seen in the conf). BUT you need to check, its the tunnel ID not the tunnel interface no:
See the tunnel ID in the SA:
Test-> get sa id 0x02 | i tun
auto key. tunnel if binding node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 2, peer id 0, NSRP Local. site-to-site. Local interface is ethernetY <X.X.X.X>.
Corresponding config:
set vpn "VPN" id 0x2 bind interface tunnel.1
See the above, the tunnel ID is 2 but the actual tunnel interface is tun.1.
The tunnel ID is automatically set by the firewall or NSM and does not always match the tunnel interface number.
Message Edited by WL on 05-26-2009 10:11 AM