If AH and ESP are both required to protect data streams between IPsec peers, how many Security Associations (SA) are required in total?
If AH and ESP are both required to protect data streams between IPsec peers, how many Security Associations (SA) are required in total?
When both AH (Authentication Header) and ESP (Encapsulating Security Payload) protocols are required to protect data streams between IPsec peers, each protocol demands separate SAs for inbound and outbound traffic. This results in needing 2 SAs for AH (one for inbound and one for outbound) and 2 SAs for ESP (one for inbound and one for outbound), totaling 4 SAs.
If you use either AH or ESP to protect traffic between two peers, two SAs are required to protect incoming and outgoing flows. If you use both AH and ESP to protect traffic between two peers, four SAs are required, two for each protocol. https://support.huawei.com/enterprise/es/doc/EDOC1100037956?section=j006&topicName=basic-concepts-of-ipsec