Is a security association (SA) implemented in ESP and AH protocols?

I’m reading about security associations. I’ve understood that a SA is a virtual connection between a client and a sever, in which all the security parameters, such as encryption algorithm, IP origin and source HMAC algorithm… are defined.

My question is: Is SA implemented when using AH and ESP protocols, or only in ESP when confidentiality is required?

And there goes another question: How does the router know whether to use IPsec or not? By using the protocol field in the IP header?