RE: TCP/UDP/DoS Denial-of-service is such a slipery slope. If you want to actively attack IKE, just eat the last packet of Main Mode or Quick Mode... Dan's right in that using TCP only changes the problem set. It doesn't solve anything other than by providing a fairly high-cost keepalive mechanism. Derrell