Security Associations (SAs) are the basis for establishing a VPN tunnel between two networks. Parameters defined by a SA include:
- Source and destination network IP addresses
- Encyption, integrity check and authentication methods
- The key for the connection
- The key's lifetime
Security Associations are defined by automatically or manually generated VPN rules (also see in the reference manual).
The establishment of Security Associations is normally initiated by an IP packet which is to be sent from a source network to a destination network. With keep-alive connections, this is an ICMP packet which is sent to the remote site by an entry in the polling table.
In complex network scenarios it is possible for multiple network relationships to be defined between two VPN gateways. If a single IP packet is transferred, then the SAs are established for this single packet and its corresponding network relationship only. To establish the other SAs, IP packets fitting to the other network relationships are needed.
It takes time to establish SAs based on data packets, and this can lead to the loss of packets as long as the SAs are not yet installed. This is often an undesirable side effect, particularly with keep-alive connections. Instead, all SAs relevant to the network relationships defined in the remote site should be established immediately. However, since the negotiation of SAs can make heavy demands on CPU performance—particularly in complex scenarios—the behavior can be defined with the parameter "Establish SAs collectively".
- Establish SAs collectively
- Yes: All SAs defined in the device will be established.
- No [default]: Only the SA which corresponds explicitly to a packet waiting for transfer is to be established.
- Only with KeepAlive: All of the defined SAs will be established for remote stations in the VPN connection list with a hold time set to '9999' (Keep Alive).
WEBconfig: LCOS menu tree / Setup / VPN
The SAs currently in effect can be seen under /Status/VPN.