3.10.4.2 Negotiation of Authenticated Firewall Encapsulation

To negotiate Authenticated Firewall encapsulation, the initiator MUST include one of the two encapsulation attributes listed below in the SA payload of quick mode (see section 3.4.7.3). The negotiation MUST then proceed as specified in [RFC2407] section 4.5.

The authenticated firewall encapsulation uses these two values for the encapsulation mode attribute:

IPSEC_TRANSPORT_AUTH_FW: 62000

IPSEC_TRANSPORT_UDP_AUTH_FW: 62001

The former signals Authenticated Firewall (authFW) mode with ESP encapsulation. The latter signals Authenticated Firewall (authFW) mode with UDP-encapsulated. If a NAT was detected, then the latter attribute MUST be used; otherwise, the former attribute MUST be used

On negotiating an authFW SA, both peers MUST set the IsAuthenticatedFWSA attribute of the SA to TRUE.