The IPSEC tunnel through FW1 (not a VPN tunnel terminating at FW1) is up and working but the tunnel traffic itself is being denied.  researching it shows that outbound tunnel traffic is allowed but return traffic is denied as the FW thinks its far end initiated traffic.  I see a log entry for the dropped return traffic.  I fixed it in a round about way by modifying the rule to allow initiated sessions from the far end.  My question is, what about IPSec ESP traffic does FW1 use to determine what session in the state table it is associated with.  SPI (Security Parameters Index) number?  The return traffics SPI # is different than the outgoing traffics SPI #.  Or the state table might be messed up.  Can anyone provide any insight?  Leaving the rules allowing outside initiated sessions from the far end won't fly as a permanent solution.  This worked fine last week then something changed to break it this week.  Either the state tables are screwed up or the distant end VPN equipment is tagging the return tunnel traffic with an invalid parameter (such as a wrong SPI number) forcing FW1 to treated it as a new session.  Help!