On Wed, 31 Mar 2004, andrei wrote: > "remote" #6: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 > but are 17/0 That is a bug in the Cisco pix. A workaround for this was added recently. Use: rightprotoport=17/%any Paul