Hi Brian, VTI devices won't change anything. You can't use transport mode with any IPs other than those of the endpoints (i.e. it doesn't work with virtual IPs or arbitrary subnets - you have to use tunnel mode for that). [1] might help to explain these modes to you. Regards, Tobias [1] http://www.unixwiz.net/techtips/iguide-ipsec.html