1.3.12 IPsec Security Realm (IKEv2 transport mode)

An IPsec Security Realm defines per-application IPsec policies and the set of related applications whose network traffic is secured by these policies. The security realm refers to the common set of crypto settings used for IPsec SA negotiation, and the credentials used for authentication. Details of this extension are specified in section 3.14.

This extension is used by two IKEv2 peers negotiating transport mode SAs for scenarios involving per-application IPsec policies. This extension uses a vendor ID payload called "MSFT IPsec Security Realm Id". The vendor ID payload is associated with a 16-byte identifier. This identifier is used as an optional selector to choose an appropriate IPsec policy for negotiation.

If the message from the initiator for negotiating the child SA does not have an "MSFT IPsec Security Realm Id" vendor ID, but the parent IKE SA is associated with a security realm policy, then this message will be discarded by the responder and the child SA negotiation will be failed.