Here is the dilemma: if "dangling" implementation wants to send IPSec SA DELETE message, while the "parent" IKE SA is no longer there (expired or deleted), the alternatives are (and I do not like either of them): a) do not send DELETE b) re-negotiate IKE SA before sending DELETE Any suggestions?