Skip, Unfortunately, IPsec over L2TP looses many of the access control features of IPsec, because the receiver no longer examines the inner IP header to see if it matches the selectors for the SA via which the packet arrived. Since the SA binding is lost as soon as the packet leaves the IPsec processing, no later filtering can provide the same sort of checks. Steve