Recently I did a dive into IPsec and the related RFCs describing the techniques used to setup a site-to-site tunnel. The RFCs I've been reading are quite clear. However, there's one thing I can't seem to put my finger on. From what I know is that the phase 1 ISAKMP Security Association (SA) is unidirectional. This tunnel is then used to setup two unidirectional tunnels (https://tools.ietf.org/html/rfc4301 Section 4.1.). Does someone know why these IPsec SAs are unidirectional? Usually the RFC describes some reasoning behind certain design decisions. However, I can't seem to find a justification other than "It's by design". On the Internet however, I read that the two SA requirement is chosen from a security perspective; If the key material of one of the SAs leaks, only one way of the traffic can be inspected by a third party. The problem with this reasoning is that I can't seem to find an additional source claiming the same thing. Therefore, I'm not sure whether it's true.