> In my case, on the sender side, I would decide on a tunnel based on > VLAN ID or the port from which the packet was received. The > selectors in IPSec makes it less flexible for applications like > these. So, that sounds like it's accomodated by "different SPD per inbound interface", which is what 2401 tells you to do.. - Bill