..firstly - presumably when specifying networks in an access-list to be encrypted using IPSEC you can specify specific ports as well - ie just encrypt 10.x.x.x with port 25 say.. - deny all other ports/nets is this the case?

also presumably it's better to have your networks summarised across the VPN link - for less overhead on the devices doing the encryption - less SA's?

thirdly and lastly.. I would imagine that it's a complete no-no to simply allow any network across the link?

thanks for your patience..

Mark