3.1.7.7 New Connection Initiation

Whenever a new connection is initiated, a new entry MUST first be created and stored in the connection state table (see section 3.1.1). The IsAuthenticatedFirewallConnection and AuthFWAuthorized flags MUST be set to FALSE. The type of the new entry MUST match the IP version (IPv4 or IPv6) and the protocol (TCP/UDP, ICMP, or protocol-only) of the new connection. When an entry is created for a non-TCP connection, a per-connection timer MUST be set, as specified in section 3.10.4. The IsImpersonatedConnection flag MUST be set to FALSE. ImpersonationHandle MUST be set to a locally unique ID value that represents the user who initiated the connection. This ID value MUST stay constant for the given user for each new connection initiated by the user.

The host determines which SA to use to secure the traffic as specified in [RFC4301] section 4.4.2.2. If the SA is an authFW SA (that is, if IsAuthenticatedFWSA is set to TRUE for the SA), then the IsAuthenticatedFirewallConnection and AuthFWAuthorized flags MUST be set to TRUE.

The connection state tracking timer for the connection MUST be reset back to its default time every time a packet is sent or received on that connection.