Perhaps to combat this, unless I'm missing something, one could justifiably deploy GRE filters with source & destination addresses of the exchange subnets. Filtering GRE in general seems nothing more than foolish. -danny [snip] (we certainly allow GRE packets and expect everyone else does, too) > This could kill IP-GRE VPNs indiscriminately.