If there are multiple hops from data endpoint to data endpoint, there might be Security Associations between any two hosts along the path. For example, the data might be authenticated from a host to the secure gateway, then encrypted for transportation over the Internet, then possibly authenticated and encrypted from the second secure gateway to the host on the other side, as shown in Figure 1:
Figure 1. Cascaded tunnels