There are many ways to apply cisco ipsec, as well as new VPN's in cisco that are not-quite-ipsec. Most of the ways to apply cisco ipsec are not there for any good reason, but are just false starts they later regretted but had to retain so that people could upgrade IOS without touching their configs. If you ever have to dig into this, here is my cheatsheet to avoid the old stuff: * to support road warriors with VPN Dialer + use the syntax involving 'crypto ipsec profile' and 'interface VirtualTemplate2 type tunnel'. Do not use the one involving 'crypto map' and 'crypto dynamic-map'. * for site-to-site VPN's + use gre tunnels, NHRP, and OSPF. and 'crypto ipsec profile'. do not use 'crypto map' or 'crypto dynamic-map'. use gre to do the tunneling, not ipsec tunnel-mode. + only the hub should have a static IP. Many of the examples have static IP's on both ends, but this is dumb. Even if the client has a static IP, configure the router as if it were dynamic. For example with gre tunnels, you can use NHRP without using DMVPN mesh feature. NHRP can allow dynamic IP addresses at remote offices. * for both kinds + just use IOS. dont fuck around with PIX unless there is extreme cost pressure to do so. + use certificates on both ends. + you make your own certs with openssl. you do not buy certs for ipsec, ever. + establish the identity of each end with the certificate. never with fqdn or IP address. for site-to-site, the certificates provide the security, authenticating the endpoints. for road warriors, the server certificate provides security, but the client certificate probably won't be a source of security because you'll use passwords. Put the same cert with the same private key on all the road warriors. It just establishes a namespace for usernames/passwords. It's only for identity. do not fuck aroudn with mutual group authentication or any of that crap with no cert, or with a cert on one end only. The IKE standard was never sane except with certs naming the endpoints. crypto isakmp aggressive-mode disable + always test for MTU blackholes by using 'ping' with the df bit set. You should always get either an echo reply or an unreachable. + consider using fvrf and ivrf. It's easy with the new syntax and might make things simpler.