An IPsec security associations (SA) specifies security properties that are recognized by communicating hosts. Communicating hosts typically require two SAs to communicate securely. A single SA protects data in one direction — either to a single host or a group (multicast) address. Because most communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both directions.
The AH or ESP, destination IP address, and Security Parameter Index (SPI) identifies an IPsec SA. The security parameters index, an arbitrary 32-bit value, is transmitted with an AH or ESP packet. The ipsecah(7P) and ipsecesp(7P) man pages explain the extent of protection that is provided by AH and ESP. An integrity checksum value is used to authenticate a packet. If the authentication fails, the packet is dropped.
Security associations are stored in a security associations database. A socket-based administration engine, the pf_key(7P) interface, enables privileged applications to manage the database. The in.iked(1M)in.iked(1M) daemon provides automatic key management.
A security association contains keying information, algorithm choices, endpoint identities, and other parameters. Managing the keying material that SAs require for authentication and for encryption is called key management. The Internet Key Exchange (IKE) protocol handles key management automatically. You can also manage keys manually with the ipseckey(1M) command. Currently, SAs on IPv4 packets can use automatic key management, while SAs on IPv6 packets require manual management.
See IKE Overview for how IKE manages cryptographic keys automatically for IPv4 hosts. See Keying Utilities for how the administrator can manually manage the cryptographic keys by using the ipseckey command.