IPSec SAs are identifiers used locally by each IPSec peer for relevant information used to secure network communications. When two IPSec peers decide to establish IPSec connectivity, they must agree many parameters. IPSec Security Associations (IPSec SAs) can negotiate a number of security parameters between two IPSec peers to establish and maintain the IPSec tunnel.
Each IPSec peer will have at least two SAs (one inbound other outbound direction) for a peer.
A Security Association is uniquely identified by following three items.
1) Security Parameter Index (SPI): IPSec Security Parameter Index (SPI) is a unique 32-bit value that identifies the SA.
2) The Security Protocol (AH or ESP)
3) Destination IP Address