"Michael C. Richardson" wrote: > I agree. > I would advocate in the gateway->client case sending an ICMP ping to the > client's internal address, from the gateway's internal address on the primary > phase 2 SA. This ought to fit into the typical setup's SPD. What do you mean by "primary" Phase 2 SA? Does it mean that this IPSec SA should allow ICMP?