I disagree that * IKE/IPSEC is primarily meant for host-to-host protection. Support for a broad set of identities was a goal from the beginning. Hilarie