Pasi,I agree with your observations/concerns. Any host/SG to which one is redirected needs to be subject to the same controls as an initial SA target. I see this as a PAD (and SPD) issue. I would suggest that maybe the only safe approach is to reevaluate the redirected target against the PAD entry for the initial target.
Steve _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
