 Hello! In this video we'll explain IPsec security associations which hold the algorithms and parameters to encrypt and authenticate a flow of IPsec packets from source to destination. Since IPsec is able to encrypt and authenticate network packets, it needs to decide which algorithms and keys will be used for encryption and authentication. For this purpose it uses the so-called Internet Security Association and Key Management Protocol which is abbreviated as ISACMP. This protocol allows the source and destination to select the algorithms and generates the keys before the first normal packet is exchanged. ISACMP uses UDP board 500. These algorithms and keys are stored by the sender as well as the receiver as parameters which define how all remaining packets between the sender and receiver will be encoded and decoded. A set of possible algorithms is defined in RFC 7321. The main security parameters tell which authentication algorithm is used for example HMAC shay196. What is the authentication key for that algorithm? Which encryption algorithm is used for example AESCBC and what is the encryption key for that algorithm? The parameters are stored by source and destination in the so-called security associations databases together with the remote IP address and the kind of IPsec protocol thus AH or ESB. The security parameter index abbreviated as SPI points to this set of database values. The SPI is included by the source in the header part of each IPsec packet. The IPsec packet is then transferred from source to destination. Upon reception of an IPsec packet the receiver uses this SPI to identify this specific security association and retrieve the related parameters. Note that per direction one security association is needed. For typical full duplex IPsec connection therefore two security associations are needed. In principle it is even possible to run IPsec AH within ESB in which case four security associations should be established. Such combination is rather weird however. In this video we have discussed IPsec security associations. We have seen that for each association a number of parameters are maintained. These parameters are identified by a security parameter index. This index is included in each IPsec packet and used by the receiver to determine the keys and algorithms to decode the packet.