Hi BB,
Thank your info, but I'm learning your external link, still failed.
And my 「show crypto isakmp sa」seems working.
Maybe I will try DMVPN solution.

but I'm learning your external link, still failed.

Not sure i get this - can you give more clarity ?

Maybe I will try DMVPN solution.

sure that will be way move forward hub and spoke and spoke to spoke.

Hi M02@rt37,
Thank your support, but I still failed. I have refer Cisco doc, and same config.
In my test, the router dr_whoovie have crypto session with sam-I-am, but not crypto session with thidwick.
And then, sam-I-am interface shutdown / no shutdown, dr_whoovie have session with thidwick, not crypto session with sam-I-am.
So in my test environment, the crypto session seems working on first 2 nodes, not work in third node. And point to point only, not multipoint.

Hi MHM,
1-You use hub not SW connect four routers
>>thank your remind, I have replace it by c2960 switch, and other config, environment are same. still failed.

2- you test by ping router itself and this not way to tesr ipsec
>>my ping is from R1 interface to R2 interface, should I add PC nodes behind the router? and ping from PC1 to PC2? maybe I will try it.

3- there is no config of acl use in ipsec?
>>my ipsec has ACL config, but it is permit ip any any.
the reason is require ACL command, can not empty.

do below 
note:-
1-LO is meaning Loopback 
2- ping from LO to LO (use source in ping) to test IPsec
3- Spoke have default route toward R4 
4- Hub have static route for each LO connect to Spoke 

MHM

Thank your help, still failed.
Currently, we will plan DMVPN, give up crypto map.

To be honest I prefer using dmvpn for hub and spoke' even if I am sure the crypto map I share it work.

But using legacy crypto map in present of dmvpn is bad idea

MHM

If I have time I will share lab maybe tomorrow 

MHM

Hi MHM,
thank you so much for support.
i'm familiar DMVPN, if i met trouble, i will post in community, tks!

You are so welcome

MHM