suppose we have 3 routers with some private networks behind each of them. the users inside these private networks need to interconnect to other private networks on other branch offices through site-to-site IPSec VPN tunnels. if we want to avoid VTI-based solution and configure crypto maps on physical interfaces, how can we configure the routers? I managed to configure some light version of this scenario, in which one of the routers (e.g R1) is a hub and 2 others are spokes. on hub router I created dynamic crypto map with "crypto isakmp key 0 cisco address 0.0.0.0" command and on the other 2 routers, I configured normal crypto map (not dynamic) with the ip address of the hub with the "crypto isakmp key 0 cisco address x.x.x.x" command. it worked well. but in that scenario, the branch offices need to pass through the hub router to reach each other if they want encryption. but what if we need to interconnect all the branch offices directly to each other and apply encryption to the traffic. I labbed it up by using dynamic crypto maps on all of 3 routers plus "crypto isakmp key 0 cisco address 0.0.0.0" command on all of them, but I was not successful.
Why would you want to avoid VTI based solution? Also, what equipment do you have?
The quickest answer with the info you provide is to create a full mesh of IPSEC tunnels...that would obviously not scale well, but will work.
Or maybe use GRE over IPSEC. Very simple, but also will run into scaling issue soon.
I'm doing this for learning purpose to understand all of the scenarios. so I don't want to use VTI to see if I can make it run.
secondary, why does using "crypto isakmp key 0 cisco address 0.0.0.0" command on both sides of a site-to-site VPN tunnel don't put the routers in trouble in finding other site's IP address (regarding that we are using 0.0.0.0 on both routers)?
Please send you phase 2 config as well (crypto map xxxx etc)
So when you have interesting traffic to encrypt the crypto map will have a peer address to which it will connect. Phase 1 (IKE) will start to connect to that peer and on the other side the IP address of 0.0.0.0 will match any so the key will then match.
Problem will be if you have another IPSEC tunnel to that box with different key...