Method and apparatus for enhanced security for communication over a network, and more particularly to control of security protocol negotiation to enable multiple clients to establish a virtual private network connection with a same remote address, is described. A mapping table accessible by a gateway computer is used to form associations between a local address for the client and a destination address for a peer and a Security Parameters Index associated with IPSec-protected traffic from the peer. When a packet is received at the gateway from a client it is checked to determine if it is an Internet Key Exchange (IKE) packet, whether an IKE session has already been recorded from this client in the mapping table for the destination address in the IKE packet, whether a Security Parameters Index has been observed in the clear from a remote computer associated with the destination address.