IPsec SAs can be established in either manual mode or IKE auto-negotiation mode.

Understanding IPsec SA (Security Association) Establishment

????IPsec (IP Security) provides encrypted communicationover IP networks.

????Security Associations (SAs) define encryption, authentication, and key parameters for IPsec tunnels.

Two IPsec SA Modes:

1️⃣Manual Mode:

All parameters (keys, encryption methods, authentication settings) must be manually configured.

Keys do not change automatically, making it less secure.

2️⃣IKE (Internet Key Exchange) Auto-Negotiation Mode:

UsesIKE Phase 1 and Phase 2to automaticallynegotiate, generate, and exchange keys.

Keys are periodically refreshed, increasing security.

UsesDiffie-Hellman (DH) key exchangefor secure key generation.

Why is Answer D Incorrect?

❌D. SAs established in both manual and IKE auto-negotiation modes can be dynamically updated.

Incorrect:Inmanual mode, the IPsec SA isstaticand does not support dynamic updates.

Correct behavior:OnlyIKE auto-negotiation modesupportsdynamic re-keying and SA updates.

✅Reference:Huawei HCIE-Datacom Guide – IPsec SA Modes and IKE Negotiation