First off, it’s important to understand that there are differences between the definitions of what a VPN tunnel is, what a Security Association (SA) is, and what a VPN policy is. SonicWALLs are licensed for VPN policies – which is a connection to a unique remote peer gateway.

For example, the TZ170-U security appliance is licensed for ten VPN policies, which means that it is capable of setting up VPN connections with up to ten unique remote peer gateways. In some of our older documentation, SonicWALL used the generic term "VPN Tunnel", or referred to them as "profiles", which can be somewhat misleading. While "profiles" and "VPN policies" refer to the same thing, it’s extremely important to note that a "VPN tunnel" or "SA" should not be considered the same. Remember that with IKE IPsec, at least three SA’s are negotiated for each VPN tunnel – one Phase 1 IKE SA, and two unidirectional Phase 2 IPsec SA’s for each remote subnet. So on a TZ170-U, if you were to set up VPN tunnels to five unique remote peer gateways, and each had one remote subnet defined, you’re actually talking about 15 SA’s – and it would work fine.

The following illustration helps you visualize the relationship between a VPN tunnel and a VPN policy:

For SonicWALLs running older 6.x firmware, it gets a little more complex when you start adding lots of remote subnets to each VPN policy, as the SonicWALL has a shared memory pool, and other functions on the SonicWALL may utilize this pool. This means that if the SonicWALL has other functions active (for example: AV, CFS, extensive firewall policy entries, IPS, GAV, AntiSpyware), it may adversely affect your ability to set up new VPN policies or add additional subnets to existing VPN policies -- even if the security appliance is licensed for a specified number of policies. When our older documentation discusses how many "VPN Tunnels" or "profiles" each model can support, the number is really a best-case scenario, i.e. each VPN policy only has one remote subnet defined, the security appliance does not have that many rules, AV and CFS/CFL are not enabled, etc.

NOTE: SonicWALLs running SonicOS Standard or SonicOS Enhanced do not have this limitation and can be configured for the advertised number of VPN Policies.

Source: SonicWALL IKE / IPSec VPN Implementation FAQ