[RFC 2407]The INITIAL-CONTACT(IC) status message may be used when one side
wishes to inform the other that this is the first SA being established
with the remote system. The receiver of this Notification Message might then
elect to delete any existing SA's it has for the sending system under the
assumption that the sending system has rebooted and no longer has access
to the original SA's and their associated keying material.
The ZyWALL has two ways to delete SA when it receives IC, it is switched by
a global option 'ipsec initContactMode gateway/tunnel':
(1)ipsec initContactMode gateway
When the ZyWALL receives a IKE packets with IC, it deletes all tunnels with
the same secure gateway IP. It is default option because the ZyWALL is
site to site VPN device. Take the picture 1 as example, there are three
VPN tunnels are created between ZWA and ZWB, but ZWA reboots for some
reasons, and after rebooting, the ZWA will send a IKE with IC to the ZWB,
then the ZWB will delete all existing tunnels whose security gateway IP is
the same as this IKE's one and build a new VPN tunnel for the sender.
(2)ipsec initContactMode tunnel
When the ZyWALL receives a IKE packets with IC, it deletes only one existing tunnel, whose security gateway IP is not only the same as this IKE's one and also its phase 2 ID(network policy) should match. It is suitable when your tunnel is created from a VPN peer to ZyWALL and there are more than two this kind of VPN peers build tunnels behind the same NAT router. Take the picture 2 as example, PC 1, PC2 and PC3 has it's own VPN software to create tunnels with ZW. Suppose that the PC1, PC2 and PC3 separately create different tunnels with ZW for the traffic to PC4, PC5 and PC6, once the PC1 reboots for some reasons, and after rebooting, the PC1 sends a IKE with IC to the ZWB, then the ZWB will only delete the tunnel which is used by PC1 and PC4 and build a new VPN tunnel for it. So other tunnels will not be disconnected.
