Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

LAN-to-LAN VPN w/ Multiple Dynamic IP Remote Routers

I have multiple sites with Cisco 877 routers. These sites are all issued dynamic IP addresses from their ISP's.

In my scenario all sites will have their own unique:

a) Private IP network (

b) Unique isakmp key

I configured one:

crypto isakmp key (uniquekey) address

crypto dynamic-map (name) 90

set transform-set (name)

match address 109

crypto map (name) 90 ipsec-isakmp dynamic (name)

This works great until I try to add a 2nd configuration using a different isakmp key and crypto map.

To problems:

1) I am unable to configure any additional unique isakmp keys for additional sites. When I try to configuration another key for dynamic I get an error that a key for already exists. I understand this but how do I get around it?

2) I am also unable to configure additional crypto maps. When I add another crypto map specifying dynamic it does not show up.

I currently have 8 static remote sites configured. Have not had any problems for 2 years. I am just now having to deal with sites using dynamic IP's and want to be able to create each site as a unique key and map entity with the ability to use dynamic IP's.

I have attached a very simple diagram showing my network relationship.

2691v at main office (12.3(1a))

877's at remote offices (12.3(14)-YT1)

Any help, suggestions or configuration examples would be appreciated.


Danny Mc?


Re: LAN-to-LAN VPN w/ Multiple Dynamic IP Remote Routers


Have you tried adding the new locations onto the existing dynamic group ?

Becoz i think you wont be able to create another dynamic map since you have got one already in place out there serving your mobile/dynamic users.

if you want them to be treated as a seperate entity with seperate key and transform set then the only way out would be going for static ips at the remote location by doing like that you have the freedom of creating seperate statement numbers under the same crypto map in the main office with respect to different remote locations.