Ahhh yes, I almost forgot. In some modes of operation, we do not allow split tunneling. This is only when using an IPSEC tunnel that actually extends the network out to the end user, i.e., from a network perspective they appear to be on the physical network with an IP addy used in our Govt. DHCP pool.