The range of SPI is 256 to 16383. The default is 0. I am afraid SPI itself is not sufficient to uniquely identify a SA. That’s why a SA is uniquely identified by the three items:
- Security Parameter Index (SPI)
- Security Protocol (AH or ESP)
- Destination IP Address
It’s similar to the concept of a composite key in the relational database.
Thank you, Chaudhary, to supplement the details: