Client Server ---------- ---------- 1) -------------------- TCP Connection ------------------- (IP_I:Port_I -> IP_R:Port_R) TcpSyn -------> <------- TcpSyn,Ack TcpAck -------> 2) --------------------- TLS Session --------------------- ClientHello -------> ServerHello {EncryptedExtensions} {Certificate*} {CertificateVerify*} <------- {Finished} {Finished} -------> 3) ---------------------- Stream Prefix -------------------- "IKETCP" -------> 4) ----------------------- IKE Session --------------------- Length + Non-ESP Marker -------> IKE_SA_INIT HDR, SAi1, KEi, Ni, [N(NAT_DETECTION_SOURCE_IP)], [N(NAT_DETECTION_DESTINATION_IP)] <------- Length + Non-ESP Marker IKE_SA_INIT HDR, SAr1, KEr, Nr, [N(NAT_DETECTION_SOURCE_IP)], [N(NAT_DETECTION_DESTINATION_IP)] Length + Non-ESP Marker -------> first IKE_AUTH HDR, SK {IDi, [CERTREQ] CP(CFG_REQUEST), IDr, SAi2, TSi, TSr, ...} <------- Length + Non-ESP Marker first IKE_AUTH HDR, SK {IDr, [CERT], AUTH, EAP, SAr2, TSi, TSr} Length + Non-ESP Marker -------> IKE_AUTH (repeat 1..N times) HDR, SK {EAP} <------- Length + Non-ESP Marker IKE_AUTH (repeat 1..N times) HDR SK {EAP} Length + Non-ESP Marker -------> final IKE_AUTH HDR, SK {AUTH} <------- Length + Non-ESP Marker final IKE_AUTH HDR, SK {AUTH, CP(CFG_REPLY), SA, TSi, TSr, ...} -------------- IKE and IPsec SAs Established ------------ Length + ESP Frame ------->