Hi Stefaan, It can be done but not through the GUI ;-) The key is the netsh command (http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/Serv erHelp/c3ae0d03-f18f-40ac-ad33-c0d443d5ed90.mspx). Here is an example. In my lab I have an ISA server with a S2S VPN network called "RemoteSite#44". Use the command 'netsh ipsec dynamic show qmpolicy all' to find the QM Policy belonging to this S2S VPN connection. The result was: --- Begin --- C:\>netsh ipsec dynamic show qmpolicy all QM Negotiation Policy Name : L2TP Optional Encryption Quick Mode Policy Security Methods Lifetime (Kb:secs) PFS DH Group ------------------------- --------------------- ------------ ESP[3DES,MD5] 250000:3600 <Unassigned> ESP[3DES,SHA1] 250000:3600 <Unassigned> AH[SHA1]+ ESP[3DES,NONE] 250000:3600 <Unassigned> AH[MD5] + ESP[3DES,NONE] 250000:3600 <Unassigned> AH[SHA1]+ ESP[3DES,SHA1] 250000:3600 <Unassigned> AH[MD5] + ESP[3DES,MD5] 250000:3600 <Unassigned> ESP[ DES,MD5] 250000:3600 <Unassigned> ESP[ DES,SHA1] 250000:3600 <Unassigned> AH[SHA1]+ ESP[ DES,NONE] 250000:3600 <Unassigned> AH[MD5] + ESP[ DES,NONE] 250000:3600 <Unassigned> AH[SHA1]+ ESP[ DES,SHA1] 250000:3600 <Unassigned> AH[MD5] + ESP[ DES,MD5] 250000:3600 <Unassigned> ESP[NONE,SHA1] 250000:3600 <Unassigned> ESP[NONE,MD5] 250000:3600 <Unassigned> AH[SHA1] 250000:3600 <Unassigned> AH[MD5] 250000:3600 <Unassigned> QM Negotiation Policy Name : ISA Server RemoteSite#44 QM Policy Security Methods Lifetime (Kb:secs) PFS DH Group ------------------------- --------------------- ------------ ESP[3DES,SHA1] 0:3600 Medium (2) --- End --- To change the encryption algorithm to Null, use the command: netsh ipsec dynamic set qmpolicy name="ISA Server RemoteSite#44 QM Policy" qmsecmethods=ESP[None,SHA1] To verify the change, use the command: netsh ipsec dynamic show qmpolicy name="ISA Server RemoteSite#44 QM Policy" The result should be: --- Begin --- QM Negotiation Policy Name : ISA Server RemoteSite#44 QM Policy Security Methods Lifetime (Kb:secs) PFS DH Group ------------------------- --------------------- ------------ ESP[NONE,SHA1] 0:0 Medium (2) --- End --- I tried it and was able to look inside the IPSec tunnel with the Network Monitor tool :-))) HTH, Stefaan MVP ISA Server http://www.isaserver.org/Stefaan_Pouseele/ -----Original Message----- From: Stefaan Pouseele [mailto:Stefaan.Pouseele@xxxxxxx] Sent: maandag 26 december 2005 13:36 To: [ISAserver.org Discussion List] Subject: [isalist] How to enable ESP Null Encryption on ISA 2004 http://www.ISAserver.org Hi, In many documents on http://www.microsoft.com/isaserver/techinfo/guidance/2004/vpn.mspx I read: --- Begin --- Network Captures of IPSec in Tunnel Mode: This section briefly describes how IPSec works in tunnel mode. For a diagram of the network topology, see Figure 4 later in this document. In this example, traffic is transmitted from the client on the Astaro Security Linux system Internal network, traverses the IPSec tunnel mode policy, and is then received on the ISA Server network. When using Encapsulating Security Payload (ESP), traffic is typically encrypted using Data Encryption Standard (DES) or Triple DES (3DES) and authenticated with SHA1 or MD5. However, you can specify to use Null (no) Encryption so that the packets can be seen. An IPSec tunnel mode policy with Encryption is configured initially, and then Null Encryption is specified, so that the packet structure with ESP can be seen as it traverses the network. --- End --- It would indeed be very nice if we could enable Null Encryption in order to see what is happening inside the IPSec tunnel. However, I never found a document explaining how to do that on ISA 2004 when configuring a site-to-site VPN connection. Does anybody have any clue how to enable that? Thanks, Stefaan