A security association (SA) is a set of IPsec specifications negotiated between devices that are establishing an IPsec relationship. These specifications include preferences for the type of authentication and encryption, and the IPsec protocol that is used to establish the IPsec connection. A security association is uniquely identified by a security parameter index (SPI), an IPv4 or IPv6 destination address, and a security protocol (AH or ESP).
IPsec security associations are established either manually through configuration statements, or dynamically by Internet Key Exchange (IKE) negotiation. In the case of manually configured security associations, the connection is established when both ends of the tunnel are configured, and the connections last until one of the endpoints is taken offline. In the case of dynamic security associations, you can configure when connections are to be established; immediately after both ends of the tunnel are configured, or only when traffic is sent through the tunnel, and dissolve after a preset amount of time or traffic. You can configure unidirectional security associations (separate security associations for incoming and outgoing traffic) or bidirectional security associations (one security association for both incoming and outgoing traffic).