Hm, I remember some reasons down in the deep, distant past as to why ipsec implementations moved away from tunnel mode == tunnel interfaces. When I was being a network engineer during the day, I constantly hated having to implement tunnels using traffic maps rather than actual interfaces. Chances are bz@ would know. I suggest asking him. Adrian