> It should be OK to use an IPSEC SA for a port other than the one > originally negotiated. It's the sender's option, eh? Huh? rfc2401 says otherwise -- ports can be specified in inbound as well as outbound policy. Folks involved with NRL ipsec implementation have told me that inbound enforcement of unique sa's per connection was always on their TODO list.. - Bill