3.6.7.1 Transition Quick Mode Initiator Done

On reaching the Quick Mode Initiator Done state, the initiator MUST automatically proceed to Extended Mode, if required by policy, by sending the packet specified in the following diagram, and transitioning to Extended Mode First Request Sent state. If no Extended Mode is required, the SA negotiation is already complete and MUST NOT proceed further.

Figure 21: Transition to Extended Mode Initiator packet

The initiator MUST construct the message as follows:

• HDR: The ISAKMP header MUST be constructed identically to the first IKE phase 2 initiator packet, as specified in [RFC2409] section 5.5, except that the exchange type MUST be 245 (EM exchange type). The Encrypted flag MUST be set.

• The payloads that remain MUST be encapsulated in a Crypto payload.

• Auth: The proposed authentication methods for Extended Mode round of authentication MUST be constructed by looking up the PAD's Peer Authentication Data (see [RFC4301] section 4.4.3.2).