> 1. Extending IKE (with new payloads etc) to what is basically an ipsec > problem seems to be an incorrect. > If ipsec state (ipsec-SA) is out of sync between two peers, it should be > dealt in ipsec. this is a weak argument; the primary reason for the existance of ike is to establish and destroy ipsec state. - Bill