I am working on BITW implementation of IPSec. In some cases, the host behind the IPSec device requires the IPSec device sends a security failures message back to the host whenever IKE or ESP process fails. Is RFC 2521 suppose to provide some guidance or standard to handle this kind of situation? Thanks Shicai Hu Cryptek