the other end is not cisco. i think it is nortel, but it is a vendor location. i cant post the cofig at this time

It's hard for me to say what went wrong without further info :-(

but there should be no problem to have both DMVPN + crypo map based L2L on same box.

Marcin

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key 1234567867894823462346! address 5.5.5.202

crypto isakmp key 1234567867894823462346! address 5.5.5.203

crypto isakmp key 1234567867894823462346! address 5.5.5.115

crypto isakmp key 1q2w3e4r5t6y address 4.3.2.1

crypto isakmp key 1234567867894823462346! address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10 5

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set abcaes esp-aes 192 esp-sha-hmac

mode transport

crypto ipsec transform-set abc esp-3des esp-sha-hmac

crypto map abc 20 ipsec-isakmp

set peer 4.3.2.1

set transform-set abc

match address RBC-VPN-ACL

crypto ipsec profile ABC-DMVPN

set transform-set seiaes

interface Tunnel0

ip address 10.2.2.9 255.255.252.0

no ip redirects

ip mtu 1300

ip hold-time eigrp 100 35

ip nat inside

ip nhrp authentication 123456789

ip nhrp map multicast 5.5.5.203

ip nhrp map 10.2.2.2 5.5.5.203

ip nhrp map multicast 5.5.5.202

ip nhrp map 10.2.2.1 5.5.5.202

ip nhrp map 10.2.2.3 5.5.5.115

ip nhrp map multicast 5.5.5.115

ip nhrp network-id 19283746

ip nhrp holdtime 300

ip nhrp nhs 10.2.2.2

ip nhrp nhs 10.2.2.1

ip nhrp nhs 10.2.2.3

ip nhrp cache non-authoritative

ip nhrp shortcut

ip nhrp redirect

ip virtual-reassembly

ip tcp adjust-mss 1360

delay 1000

qos pre-classify

tunnel source FastEthernet0/1

tunnel mode gre multipoint

tunnel key 194561

tunnel protection ipsec profile ABC-DMVPN shared

interface FastEthernet0/1

description OUTSIDE

ip address 1.2.3.4 255.255.255.248

ip access-group OUTSIDE-ACL in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip inspect SEIFW out

ip virtual-reassembly

speed 100

full-duplex

crypto map abc

ip route 9.8.7.6 255.255.255.0 fa0/1

ip nat pool RBC-POOL 1.2.3.5 1.2.3.5 netmask 255.255.255.0

ip nat inside source route-map RBCNAT pool RBC-POOL overload

ip access-lists extended RBC-VPN-ACL

permit ip host 1.2.3.5 9.8.7.6 0.0.0.255

ip access-lists extended RBC-NAT-ACL

permit ip any 9.8.7.6 0.0.0.255

ip access-lists extended OUTSIDE-ACL

permit esp any any

permit udp any any eq isakmp

permit gre any any

permit udp any any eq non500-isakmp

permit udp host 4.3.2.1 host 1.2.3.4 eq isakmp

permit esp host 4.3.2.1 host 1.2.3.4

permit udp host 4.3.2.1 host 1.2.3.4 eq non500-isakmp

permit ip 9.8.7.6 0.0.0.255 host 1.2.3.5

deny ip any any

route-map RBCNAT permit 20

match ip address RBC-NAT-ACL

John,

Well at a glance everything in config looks OK (a few things missing in your listing tho - version and ipsec profile to mention two).

What exactly breaks when you enable crypto map. Are you no able to establish IPsec tunnel or not able to pass traffic?

Marcin

John, did you ever solve this issue?  I am experiencing the exact same problem and do not see a marked answer so i was hoping you could explain how this ended or you.