Understanding IPsec Security Associations (SAs)

A security association (SA) is a unidirectional agreement between the VPN participants regarding the methods and parameters to use in securing a communication channel. Full bidirectional communication requires at least two SAs, one for each direction.

An SA groups together the following components for securing communications:

• Security algorithms and keys
• Protocol mode, either Transport or Tunnel (see Understanding IPsec Operational Modes)
• Key-management method, either manual key or AutoKey IKE (see Understanding IPsec Key Management )
• SA lifetime

For outbound VPN traffic, the policy invokes the SA associated with the VPN tunnel. For inbound traffic, JUNOS software looks up the SA by using the following triplet:

• Destination IP
• Security protocol, either AH or ESP (see Understanding IPsec Security Protocols)
• Security parameter index (SPI) value

In SRX-series services gateways, the IKE provides tunnel management for IPsec and authenticates end entities . The IKE performs a Diffie-Hellman key exchange to establish an IPsec tunnel between network devices.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.