3.10.5.3 Initiator Receiving a Plaintext Authenticated Firewall Connection Packet

When the initiator receives any plaintext packet, the initiator MUST look up the SA that would secure that packet, as described in [RFC4301] section 4.4.2.2. If the cleartext packet matches an authFW mode SA, then the packet MUST be accepted as valid and further IPSec processing MUST NOT be performed on that packet.