3.14.5.1 IKE_SA_INIT Messages

Initiator: If the initiator chooses a security realm-based IPsec policy to trigger an SA negotiation, it reads the Security Realm ID ADM element defined in section 3.14.1, and includes it in the "MSFT IPsec Security Realm Id" vendor ID payload in the IKE_SA_INIT message.

Responder: If the responder receives an IKE_SA_INIT message that contains an "MSFT IPsec Security Realm Id" vendor ID, it reads the last 16 bytes of the payload, and uses that data to look up a matching IPsec policy. Note that there might be implicit priorities associated with IPsec policies. A higher priority IPsec policy that is not associated with any security realm can be selected over a lower priority IPsec policy that might be associated with the security realm ID. However, if a security realm-based IPsec policy is chosen, the security realm ID associated with the policy MUST exactly match the security realm ID as received in the vendor ID.

If the IKE_SA_INIT message does not have an "MSFT IPsec Security Realm Id" vendor ID, the responder SHOULD<39> skip any security realm-based IPsec policies while selecting an IKE policy.