3.4.5.2 Quick Mode Second Exchange Response

Figure 10: Quick Mode Second Exchange Response packet
If the initiator is not in Quick Mode Initiator Second Packet Sent state when it receives the above packet, it MUST tear down the corresponding main mode security association (MM SA) if it can match the packet to an existing main mode, or silently discard the packet otherwise.
If the initiator is in state Quick Mode Initiator Second Packet Sent state, it MUST transition to Quick Mode Initiator Done state.
The QM SA keys MUST be computed at this stage by using the key material generation algorithm from section 3.1. The first ipsechashLength bytes of IPSecEncryptKey MUST be used as the QM SA authentication key and the last ipseccryptLength bytes MUST be used as the QM SA encryption key.
If either the ImpersonationActiveMM or ImpersonationActive EM flag is TRUE, for the MM SA corresponding to the QM SA, then the ImpersonationHandle from the MM SA MUST be copied over to the QM SA.
If the SAD indicates that an extended mode (EM) exchange is not expected to follow the just-completed quick mode exchange, the outbound QM SA MUST be added to the SAD after processing the incoming message.
If the initiator encounters any errors in the processing of a message, it MUST be treated as an Invalid Message event. See section 3.4.7.1.
The initiator MUST start an EM exchange, as specified in section 3.6.7.2, if the PAD requires it.