A logical connection (tunnel) between two IPSec devices is known as an SA (Security Association). SAs are managed independently by the IPSec device. An SA consists of three values:
- Security Parameter Index (SPI) ID to distinguish multiple logical connections to the same target device with the same protocols
- Target IP address
- Security protocol usedDesignates the security protocol used for the connection: AH or ESP (further information will be provided on these protocols in the following sections).
An SA applies only to one communication direction of the connection (simplex). A complete send and receive connection requires two SAs. In addition, an SA only applies for one used protocol. Two separate SAs are also required if AH and ESP are used, i.e. two for each communication direction.
The SAs are managed in an internal database of the IPSec device that also contains the advanced connection parameters. These parameters include the algorithms and keys used, for example.