Security Association - IPsec VPN Tutorial
Security Association (SA) is an agreement or a contract between two IPsec peers or endpoints. The SA contains all the information required for the two peers to exchange data securely. In particular IKE SA’s are used to specify the type of authentication and which Diffie-Hellman group to use. SA's contain the parameters that the peer VPN gateway device will use to encrypt and authenticate data.
Security Association is a one way logical connection so we need two SA’s to establish a VPN IPsec tunnel, one for inbound traffic and one for outbound traffic on each VPN gateway device.
Further Reading
Wikipedia's guide to Security Association