Hi Glenn, I'm curious why you would need to run secedit for L2TP/IPSec gateawy to gateway links. Once the certificates are installed, that's it. I can see it if you want to force machines to get a certificate immediately if you have configured AD for autoenrollment for machine certificates, but that only needs to be done once. The demand dial interface on the calling router should just fire up as soon as someone triggers it. Thanks! Tom Thomas W Shinder www.isaserver.org/shinder ISA Server and Beyond: http://tinyurl.com/1jq1 Configuring ISA Server: http://tinyurl.com/1llp -----Original Message----- From: Glenn Maks [mailto:gmaks@xxxxxxxxx] Sent: Thursday, September 18, 2003 1:55 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: L2TP Tunnels with Certificates http://www.ISAserver.org Hi Tom, Thank U for responding, Yes you are correct on the calling and Persistent part, but what I am trying to figure out is Why? I have to run the secedit command each and every time the RRAS and IPSEC Policy Agent services are bounced? I have to run this command "secedit refreshpolicy machine_policy /enforce" on the downstream ISA server. I discovered this secedit utility dealing with Microsoft support when I first started to dabble in L2TP Tunnels with Certificates, you can set everything right when building the L2TP Tunnels complete with Certificates, but it will not connect unless you run the above secedit command I provided in this email ... any clues ? Thank you Tom G.