It would be particularly efficient to use a multicast SA out, and a PGP-style reply. That allows you to skip the step of the second SA negotiation. Initial multicast key distribution might be heavyweight, it might be cumbersome, but it's not HARD or even hard. Hilarie