Security associations (SA) in IPsec VPNs

The settings that are used for a tunnel are stored in Security Associations (SA). There are two SAs for each IPsec VPN tunnel: one for outgoing traffic, and another one for incoming traffic.

For any communications to be able to use the VPN, the gateways must construct and maintain the VPN tunnels. The gateways negotiate which settings to use between each other. The gateways store this information so that it can be used for handling the traffic throughout the lifetime of the VPN tunnel.

The term SPI (security parameter index) is sometimes used with SAs in IPsec VPNs. SPIs are used to identify the SAs.

For security reasons, each SA has an expiration time. After the expiration time, the gateways discard the old SAs and agree on new ones if there is still traffic going through the VPN.