Bill, I believe that the Arch Doc considers a BITW Ipsec device to be a host implementation in that context (at least for a single homed host). If the same device is used in front of a router, then it inherits the security gateway requirements. Steve