A logical connection (tunnel) between two IPSec devices is known as a Security Association (SA). SAs are managed independently by the IPSec device. An SA consists of three values:
- Security parameter index (SPI)ID to distinguish multiple logical connections to the same target device with the same protocols
- IP target address
- Security protocol usedDesignates the security protocol used for the connection, normally ESP:
An SA applies only to one communication direction of the connection (simplex). A complete send and receive connection requires two SAs. In addition, an SA only applies for one used protocol.
The SAs are managed in an internal database of the IPSec device that also contains the advanced connection parameters. These parameters include the algorithms and keys used, for example.