I've been attempting to beef up my knowledge of IPsec recently, and got to thinking hypothetically about a *possible* problem with implementing IPsec on larger networks. My experience with IPsec is currently limited at best, so hopefully I can communicate this properly: Let's assume that I have a large-ish network with multiple connections to the Internet and ambiguous routing (meaning that a packet might come in one gateway and the response packet might leave through a different gateway). Let's also assume that I'd like to allow IPsec tunnels into my network to allow single workstations and small networks to attach to mine. With such ambiguous routing, is my understanding correct that the response traffic could potentially bypass the VPN concentrator altogether and travel to the destination unencrypted? Is there any best practices advice for dealing with IPsec on such a network, or am I stuck with either "redesign your network architecture" or "don't allow IPsec?" From what I can figure, those last two options are my best bet, unless I want to allow lots of VPN concentrators deeper within the network where the routing is less ambiguous. Are there any solutions for quickly, reliably, and securely sharing IPsec Security Association databases between gateways, so that the other gateways would know to encrypt the traffic before letting it out? Any other relevant thoughts, experiences, insults, rude gestures, etc.? Thanks! -Dave Wilburn