15ESP Tunnel ModeIn ESP Tunnel mode, the entire original IP datagram is encapsulated with a new (outer) IPheader and an ESP header and trailer. In the outer IP header, the Protocol field is set to 50(0x32) to indicate that an ESP header is present. For Tunnel mode, the original IP header andpayload are unmodified. Like AH Tunnel mode, the outer IP header is constructed from theconfiguration of the IPsec tunnel.
17ESP Tunnel ModeFor ESP Tunnel mode, the following portions of the packet are encrypted■ The original IP datagram (IP header and payload)■ The Padding, Padding Length, and Next Header fields of the ESP trailer
18ISAKMP Message Structure ISAKMP messages are sent as the payload of UDP messages using UDP port 500
19ISAKMP HeaderThe ISAKMP header is a standard header that is present for all ISAKMP messages and contains information about the message, including the type of packet.
21SA PayloadThe SA payload is used to indicate the domain of interpretation (DOI) and situation for the SAnegotiation. The DOI is a set of definitions for payload formats, exchange types, and namingconventions for security-related information, such as the naming of policies and cryptographicalgorithms. A situation is a set of information that identifies security services in theISAKMP message
23Proposal PayloadThe Proposal payload contains security parameter information that is used to negotiate thesecurity settings for either an ISAKMP or IPsec SA. The Proposal payload contains proposalsettings and then a series of one or more Transform payloads that contain the specific securitysettings for encryption and authentication algorithms for the SA
25Transform PayloadThe Transform payload contains information that identifies a specific security mechanism,or transform, that is proposed to secure future traffic. The Transform payload also containsSA attributes, as defined in RFC 2407 for the IPsec DOI.
27Vendor ID PayloadThe Vendor ID payload contains a string or number that either indicates a specific capabilityor is defined by a vendor so that an IPsec implementation can recognize an IPsec peer runningthe same implementation
31Key Exchange PayloadThe Key Exchange payload contains information pertaining to the key exchange process.The key exchange process supported by IPsec for Windows Server 2008 and Windows Vistais Diffie-Hellman. With Diffie-Hellman, two IPsec peers exchange key values that are sent inplaintext.
33Notification PayloadThe Notification payload is used to transmit control information, such as an error condition,to an IPsec peer. A single ISAKMP message can contain multiple Notification payloads. ForNotification payloads within a Main mode message, the initiator and responder cookies identifythe negotiation
35Delete PayloadThe Delete payload is used to inform an IPsec peer that an SA for a specific protocol has beendeleted. The receiver should remove its corresponding SA. IPsec for Windows Server 2008and Windows Vista supports verification of Delete payloads. If an ISAKMP message with aDelete payload is received, the receiver acknowledges it. If an acknowledgment is not received,the Delete payload is resent
39Hash PayloadThe Hash payload contains a hash value that is a result of a hash function computed over a set of fields or other parameters. The Hash payload can be used to provide integrity or authentication of negotiating peers
41Certificate Request Payload The Certificate Request payload is used to request certificates from an IPsec peer. After receiptof an ISAKMP message with a Certificate Request payload, an IPsec peer must send a certificateor certificates based on the contents of the Certificate Request payload.
45Signature PayloadThe Signature payload is used to send digital signatures calculated over a set of fields or parameters.The Signature payload provides data integrity and nonrepudiation services during the authentication phase of Main mode negotiation
47AuthIP MessagesBoth IKE and AuthIP use ISAKMP as their key exchange and SA negotiation protocol. AuthIPuses ISAKMP messages with the exchange types 243 (Main Mode), 244 (Quick Mode), 245(Extended Mode), and 246 (Notify) in the ISAKMP header. An important difference inAuthIP-based ISAKMP messages is that they contain only one ISAKMP payload: either theCrypto payload or the Notify payload. The Crypto payload contains the embedded payloadsused for the Main mode, Quick mode, or Extended mode negotiation.