USG firewall security association

USG firewall security association
What is security association (SA)?
The IPSec SA is a unidirectional logical connection created for security purposes. The SA is bidirectional and requires an IPSec SA in each direction. The number of SAs depends on the security protocol. If either the AH or ESP is used to protect traffic between peers, two SAs, one in each direction, exist between the peers. If both the AH and the ESP are used, four SAs, two in each direction corresponding to the AH and the ESP, exist between the peers. Therefore, an IPSec SA is not equivalent to a connection.
The IPSec SA is uniquely identified by a triplet. The triplet includes the following elements:
Security Parameter Index (SPI)
The SPI is a 32-bit value that is generated to uniquely identify an SA. The SPI is carried in the AH and ESP headers. The SPI, destination IP address, and security protocol number uniquely identify an IPSec SA.
Destination IP address
Security protocol number (AH or ESP)
Creation mode
The IPSec SA is classified into two types: SA that is manually created and SA that is created by means of IKE automatic negotiation (isakmp). Major differences between two types of SAs are as follows:
Different key generation modes
In manual mode, all parameters required by the IPSec SA, including encryption and verification keys, are manually configured or manually updated.
In IKE mode, encryption and verification keys required by the IPSec SA are generated by the DH algorithm and can be dynamically updated. The key management cost is low and the security is high.
Different IPSec SA lifetime
In manual mode, once an IPSec SA is created, it permanently exists.
In IKE mode, the IPSec SA establishment is triggered by the data flow, and the SA lifetime is controlled by lifetime parameters configured on both ends.

Scroll to top