My next project is to set up a tunnel from a manager's home office to the corporate office. As we need to keep that corporate network very secure, I have to keep things locked down pretty tight at the manager's home office. He will have a dedicated computer needing access only to the file server, database server and one ssl secured website. I will be locking that macine down from the bios on up. My question is (because I have never done this) can I just set up the 54 inside his (personal) home router and tunnel out through it. I figure it should work as long as I forward port 500 and set IPSEC passthrough on his personal router. Am I wrong? Are there any other concerns I should be exploring? Locking the machine down won't be a problem but I don't trust anyone using a router connected to the corporate environment via tunnel as their personal network. This way I can lock down the 54 and tunnel all traffic safely through his personal network. Who knows what he might be doing on his personal network . And yes, I know I could restrict the tunnel access to one IP but without some assurance like 802.1x it's still too risky. I usually lock employees out of cmd and network settings and use an obscure subnet 30 bit scheme to reduce their ability to just plug another machine in and guess the settings. Not perfect but keeps normal users at bay.