SA - Security Association

Security Association

This is responsible for initially setting up the parameters for traffic protection used in a VPN.

An SA consists of two components

The first component transfers:

  • The encryption and authentication algorithms to be used to protect network traffic
  • Key lifetimes
  • (Optionally if Perfect Forward Security (PFS) is enabled) The Diffie-Hellman-Merkel exchange

The second component transfers:

  • The policies that define which network traffic will use that SA (There are at least two)

Either peer can be the initiator of the SA, the peer does not have to be the same as the initiator of the VPN or Secure Channel

Read more

IKE Modes (blackhole-networks.com)
Interpreting IKEv2 Child SA states - IBM Documentation