3.4.4.1 Start of an IKE MM SA Negotiation

As part of the construction of message #1, a CGA authentication-supporting host MUST include an "IKE CGA version 1" vendor ID payload (that is, a vendor ID payload generated by using the vendor ID string "IKE CGA version 1", as specified in [RFC2408] section 3.16) to advertise its CGA authentication capability.

If the PAD requires CGA authentication, the host MUST include the AUTH_CGA Authentication method in its SA payload, as specified in section 2.2.4.

The host MUST use its CGA to communicate with the peer for this negotiation.