If such an ICMP message is added, then the rate limiting feature for this message must be a MUST requirement and should not be left to the administrator. One can not expect people that do not update virus definitions to configure IPSEC related ICMP message rates. Regards, Bora