we have a Cisco 3745 as our VPN end point. customer end points vary between cisco, linksys, sonicwall, watchguards, etc.
we have a customer who can not define interesting traffic in a host specific form, thus they have to open the whole subnet up. in this case, the subnet is 10.1.1.0 /24 (customer A). this is not a problem, except for the fact that a new customer (customer B) recently added also has this limitation - AND also uses the same 10.1.1.0 address range. (they do, however, use different IP addresses for their particular hosts but must open the entire range)
when the tunnel is brought up, it goes into a QM_IDLE state (Phase 1 works), but when I do a "sh crypto ipsec sa peer" on the customer A peer IP, the first entry shows the "current peer" field is the customer B peer, but the "remote crypto endpoint" shows the customer A IP.
in the config, the crypto map config for customer A is a lower number than customer B, so it appears first. we tried placing host specific deny statements into the customer A ACL, but that did not work.
when we move customer B over to another peer on our network that we use for debugging, it comes up fine. presumably because the customer A config is not present on this second peer.
what can be done to stop this conflict between VPN peers ? i don't believe changing address schemes is a viable option for either customer.
if it will help i can post output from "show crypto ipsec sa peer" command.
any help/suggestions at all will be very appreciated !