Security Association (SA)

Security Association (SA)

The concept of Security Associations (SAs) is fundamental to understanding and configuring IPSec. An SA is a relationship between two or more potential VPN endpoints, which describes how those endpoints will use security services (technologies and protocols) to communicate securely. In establishing each secure communication connection, IPSec can provide services for encryption, integrity, and/or authenticity services. Once the services are selected, the two IPSec peers must determine exactly which algorithms to use for each service, such as DES or 3DES for encryption and MD5 or SHA for data integrity.

Once the services are selected and the algorithms chosen to implement those services, the two peers must exchange or implement session keys required by the algorithms. Is this beginning to sound complicated? How can you keep track of all these choices and decisions? The security association is the mechanism IPSec uses to manage these decisions and choices for each IPSec communication session. A basic component of configuring IPSec services on a client, router, firewall, or VPN concentrator is defining SA parameters.

IKE SAs versus IPSec SAs

The next section shows you that two types of SAs are used in configuring IPSec, just as there are two stages in establishing IPSec. IKE SAs describe the security parameters between two IKE devices, the first stage in establishing IPSec. IPSec SAs pertain to the actual IPSec tunnel, the second stage.

At the IKE level, a single IKE SA is established to handle secure communications both ways between the two peers. The following is an example of the type of information that would be included in an IKE SA.



Authentication method used


Encryption and hash algorithm


DH group used


Lifetime of the IKE SA in seconds or kilobytes


Shared secret key values for the encryption algorithms


At the IPSec level, SAs are unidirectional—one for each direction. A separate IPSec SA is established for each direction of a communication session. Each IPSec peer is configured with one or more SAs, defining the security policy parameters to use during an IPSec session. To establish an IPSec session, peer 1 sends peer 2 a policy. If peer 2 can accept this policy, it sends the policy back to peer 1. This establishes the two one-way SAs between the peers.

IPSec Security Association (SA)

Each IPSec SA consists of security parameter values, such as a destination address, a unique security parameter index (SPI), the IPSec transforms used, the security keys, and additional attributes, such as IPSec lifetime. The SPI value becomes a unique record identifier (key field) linked to the SA parameters in the Security Parameter Databases in the RAM of peer devices.

Each IPSec SA consists of values such as



Peer (destination) address

Security parameter index (SPI)


IPSec transforms used


Security keys


Additional attributes (such as IPSec lifetime)


Part III: Virtual Private Networks (VPNs)