I think your confusing SPI with a "CBAC" technology. AN spi is a uni-directional IPSEC peer transform set hash (agreement on what your using with your IPSEC PEER).
An SPI is made in each direction to each peer. The Access-list permits flag traffic (matched by the router) as "permitted for IPSEC". The access-list being referenced in the "Crypto map" will make sure the permits get applied ipsec and sent to the peer. I think reading this simple page will clear any misconceptions or questions you may have about IPSEC/MANUAL (NO IKE). http://www.cisco.com/warp/public/707/manual.shtml And by the way, IKE is really a CONVENIENCE protocol, which was made popular by adding autonegotiation for IPSEC PHASE 1 and added some great security features like key management and secure key exchange (SKEME/OAKLEY). Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57681&t=57448 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]