I currently have a need to set just one tunnel on a two tunnel router based vpn setup to be responder-only. I see where that command must be made to a profile, but I'm struggling on how to convert my older map based two tunnel setup to a profile based setup with just one tunnel in responder-only mode.
Current scrubbed config:
crypto isakmp policy 10
encr aes 192
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 2
crypto isakmp key password12345 address 2.2.2.1
crypto isakmp key password54321 address 3.3.3.1
crypto ipsec transform-set tunnel-one-trans esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec transform-set tunnel-two-trans esp-aes 256 esp-sha-hmac
mode tunnel
crypto map VPNMAP 10 ipsec-isakmp
description to tunnel endpoint one
set peer 2.2.2.1
set transform-set tunnel-one-trans
set pfs group2
match address Tunnel-One-SA-List
crypto map VPNMAP 20 ipsec-isakmp
description to tunnel endpoint two
set peer 3.3.3.1
set transform-set tunnel-two-trans
set pfs group2
match address Tunnel-Two-SA-List
interface GigabitEthernet0/0/0.10
description my wan address
encapsulation dot1Q 10
ip address 4.4.4.1 255.255.255.254
ip nat outside
crypto map VPNMAP
ip nat pool INSIDE_USER_PAT 200.200.200.127 200.200.200.127 netmask 255.255.255.128
ip nat inside source static 10.0.0.1 200.200.200.2
ip nat inside source static 10.0.0.2 200.200.200.3
ip nat inside source list 1 pool INSIDE_USER_PAT overload
ip nat inside source list nat_nonat interface GigabitEthernet0/0/0.10 overload
ip access-list extended Tunnel-Two-SA-List
permit ip 200.200.200.0 0.0.0.127 10.100.0.0 0.0.0.255
ip access-list extended Tunnel-One-SA-List
permit ip 200.200.200.0 0.0.0.127 10.200.0.0 0.0.0.255
ip access-list extended nat_nonat
permit ip host 200.200.200.127 any