Greg Scott wrote: > lots of dumps. It looks like you are doing NAT of the icmp, so by the time it gets to the output the source IP does not match the encryption policy. You will need to explicitly exclude that traffic from your NAT rules. This is yet another place where netkey makes it a bit harder to do that klips. Cameron.