On Fri, 2013-01-25 at 15:56 +0100, Garry wrote: > crypto ipsec transform-set L2L ah-sha-hmac esp-aes 256 esp-sha-hmac I seem to remember needing "mode transport" on the transform-set to enable NAT traversal. -- Peter