Phase 1 - ISAKMP
For manamgement purposes - negotiation of new keys, health status, variables
This is the management channel, and the first thing that gets created - the policy set, nothing but negotiation of param (how to secure, how to auth, encypt algo, key-lifetime).
This is an agreement of how to do crypto. If the policy param are OK on both sides, we have achevied Phase 1, if not the policy param needs to be checked out

show crypto isakmp sa

Phase 2 - IPSEC
The goal is to create IPSEC SA
The transform set - how to secure the end user data. When the transform set param are the same on both ends, we will then have 2 IPSEC SA (inbound and outbound)
If IPSEC is down, transform set needs to be checked.

When Phase 1 and Phase 2 are completed we will then have 3 SA:
1 for Phase 1 - Management (unidirectional traffic)
2 for Phase 2 - in and out for interesting traffic

show crypto ipsec sa

With each SA there will be an SPI associated with - security parameter index.

Layer 3 - IP
Layer 4 - ESP - no ports, but the same SPI for inbound traffic, and the same SPI for outbound traffic