3.10.4.1 New Connection Initiated

  • Article

If the IsAuthenticatedFirewallConnection flag is set to TRUE in the connection state table entry corresponding to the connection, the first packet of every new connection (that is, the first packet sent by the connection initiator after creating the new entry in the connection state table) MUST be sent twice: initially with IPSec encapsulation and then again without IPSec encapsulation. These messages are known as the ESP SYN and cleartext SYN messages, respectively.<21>

Whenever a non-cleartext packet is sent using Authenticated Firewall (authFW) mode, the format MUST be as follows:

  • If the selected encapsulation in the SAD (section 3.1.1) for the SA associated with the connection ([RFC4301] section 4.4.2.2) is IPSEC_TRANSPORT_AUTH_FW, then the encapsulation format MUST be the standard IPSec ESP transport encapsulation of the original packet, as specified in [RFC2406].

  • If the selected encapsulation in the SAD (section 3.1.1) for the SA associated with the connection ([RFC4301] section 4.4.2.2) is IPSEC_TRANSPORT_UDP_AUTH_FW, then the encapsulation format MUST be the standard IPSec UDP ESP transport encapsulation of the packet, as specified in [RFC3948].