hi trevor, well, if you're controlling whats going over the vpn then there are several options: i've been playing with racoon lately (well longer then with freeswan) so i'm not so sure with ipsec, but ... it appears that the meta-data ( i.e. packet marking) is perserved on packets that have not yet been encrypted but are going to be. as a general strategy, i would mark packets with different marks depending on what the payload is -- maybe something like 0x1 for voice, 0x2 for smtp, etc. then use these marks on the public interface to egress them towards the internet in the highest priority. mark the inbound packets coming off the internet (once they've been decrypted) and place them in highest priority (depending on their type) this wouldn't be too bad -- in fact it's about all you can do. Alternatively, and with more complexity, open up several tunnels with different spi's -- pass traffic into tunnel by type -- this would allow you to know what an encrypted packet was carrying without having to decrypt it. cool, but i'm not sure that it would help much. anyone else done this??? tcng files are great (hint :-) cheers charles _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/