Share via


3.1.4.1 IP Traffic Match SPD Protect-using-IPsec Rule

When inbound or outbound packets trigger AuthIP negotiation based on standard Ipsec processing rules ([RFC4301] section 5), the protocol acts as the initiator for this negotiation and sends message #1 of the first main mode (MM) exchange (section 3.2.4). The initiator MUST create a main mode security association (MM SA) entry in its main mode security association database (MMSAD) containing encryption algorithm, hash algorithm, group description, life type, and life duration values before sending message #1.

In the new MMSAD entry, the initiator MUST also copy the values "Require Impersonation MM" and "Require Impersonation EM" from the SPD to the Impersonation active MM and Impersonation active EM flags, and copy the ImpersonationHandle value representing the user that generated the traffic to ImpersonationHandle.